Security researchers have warned of a new strain of ransomware that uses affiliates to spread the malware.
In a blog post, researchers at BlackBerry said that MountLocker has been available as ransomware as a service since July and was updated in November to broaden the file types it targeted and evade security software.
The malware itself, at less than 100Kb in size, is lightweight and simple in construction. It is typically deployed as either an x86 or x64 Windows portable executable (PE) file, although occasionally as a Microsoft Installer (MSI) package.
The ransomware encrypts data of victims and demands Bitcoin as ransom. The hackers also threaten to leak stolen information if money is not received.
BlackBerry researchers said that the ransomware uses an affiliate scheme to find victims. Its investigations found that threat actors often used remote desktop (RDP) with compromised credentials to gain access to a victim’s environment. In one instance, after establishing a foothold in an organisation, there was a delay of several days before activity resumed.
“It is likely that the threat actors were negotiating with the MountLocker operators to join their affiliate program and obtain the ransomware during this pause. Upon obtaining the MountLocker ransomware, the threat actors were observed returning with several “public” tools, including CobaltStrike Beacon and AdFind from Joeware,” researchers said.
Blackberry noted that only five victims are listed on MountLocker's "News & Leaks" site hosted on the darknet, but are likely to increase.
Researchers said that the operators behind MountLocker are “clearly just warming up”.
"After a slow start in July, they are rapidly gaining ground, as the high-profile nature of extortion and data leaks drive ransom demands ever higher. MountLocker affiliates are typically fast operators, rapidly exfiltrating sensitive documents and encrypting them across key targets in a matter of hours,” they said.
-
Using WinRAR? Update now to avoid falling victim to this file path flawNews WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
Amazon CEO Andy Jassy doubles down on the company's AI focusNews Amazon CEO Andy Jassy thinks companies need to "lean into" AI and embrace the technology despite concerns over job losses.
-
Swiss government data published following supply chain attack – here’s what we know about the culpritsNews Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackersNews While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
