Threat Watch

New “Mount Locker” Ransomware Demanding Millions

A relatively new ransomware called Mount Locker is joining several other ransomware families in stealing files before encryption and demanding ransom amounts in the millions. When encrypting files, Mount Locker will add its own generated of extension of “.ReadManual.ID” to each file name, where “ID” is a unique identifier based on information gathered from the infected system. What makes Mount Locker unique is that it will also register the appended file extension in the registry so that any victim who double-clicks on the file will automatically open the ransom note instead. Unfortunately, analysis by security researcher Michael Gillespie (@demonslay335) has shown that the attackers have used strong encryption and it is not currently possible to decrypt without the decryption key.

ANALYST NOTES

Exposed Remote Desktop (RDP) servers with weak credentials and phishing attempts are still two of the most common ways ransomware finds its way into a network. RDP servers should be placed behind a VPN if external access is needed, rather than exposing them directly to the Internet. Strong credentials and multi-factor authentication should be enforced as well. Organizations should also invest in regular security awareness training to teach employees what to look out for in a suspicious email. To protect the organization from data loss, follow the 3-2-1 backup rule. Keep at least three copies of your data. Store the copies on at least two different forms of storage media. Keep one copy offsite. Should ransomware ever encrypt one form of backup connected to the victim machine, recovery should be possible with another safe copy.

Source: https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/