Why the Mount Locker Ransomware Tactical Shift Should Concern You

According to a recent report from ThreatPost, the Mount Locker ransomware appears to be changing tactics and threat models which could put businesses at serious risk. 

Mount Locker ransomware first appeared as a ransomware-as-a-service from the latter half of 2020; it exploits legitimate tools to conduct its illicit activities such as file encryption and theft.   The ransomware group behind the attack. Now, the updated malware incorporates sophisticated scripting and anti-prevention features, including detection evasion. 

This prominent example highlights how hackers rarely if ever rest on their laurels; they always innovate and update their malware in much the same way that endpoint security solutions innovate. It’s another part of the dance between hacker and security professional. Unfortunately, the steps of this dance could trample your business if you aren’t prepared. 

To learn more, we compiled commentary from cybersecurity experts. Here’s what they had to say.  

Why the Mount Lock Ransomware Should Concern You

Anurag Gurtu

Anurag Gurtu is Chief Product Officer at StrikeReady.

“In general, these Locker-named ransomware attacks can be categorized in two broad attack types – Commodity and APT. These days, the most notorious threat actor involved with the ransomware attacks is FIN6 and Lazarus Group.  

FIN6 is very well known to target hospitality, retail, and e-commerce, whereas Lazarus goes after both private sector and government agencies. 

Some of the most recent attacks that StrikeReady has observed and captured from the wild (with the name Locker) are Ragna Locker, Vega Locker, Cobra Locker, Pure Locker, Screen Locker, VHD Locker, and Locker Goga. These attacks are targeting large energy/utility giants, insurance companies,  government agencies and enterprises that use very well known databases.”

Darren Mar-Elia

Darren Mar-Elia is VP of Products at Semperis.

“Mount Locker’s evolution and growing sophistication are a sign of the next phase we’re seeing in ransomware. Evading detection by leveraging legitimate tools is nothing new, but this shift reinforces the need for organizations to stay ahead of new TTPs by quickly embracing resources for monitoring their environment on an ongoing basis. With Bloodhound and AdFind being used by MountLocker to probe Active Directory, for example, security teams should be assessing their AD security regularly. New tools…can be used for this purpose, but organizations need to know where to look to find their own weaknesses. Really, it’s an arms race between attackers and defenders with billions of dollars on the line.”

Rajiv Pimplaskar

Rajiv Pimplaskar is VP at Veridium. 

“There has been a 72% increase in ransomware over the past year that can be correlated with the COVID19 related shift to remote work and the increased use of non-company provided computers and smartphones.  Complex passwords that are often written down are quite common across the Healthcare sector making the environment especially vulnerable to credential theft.  Password reuse also facilitates easier lateral movement of such attacks between various IT systems as ransomware groups seek out Personally Identifiable Information (PII).  Biotech firms and healthcare institutions should look at adopting passwordless authentication methods such as “phone as a token” and /or FIDO2 in order to strengthen the digital identity of all users.  This could reduce the incidence of credential theft and ransomware thereby keeping patient data safe as well as improving user experience and productivity for both providers and staff.”

Thanks to these experts for their time and expertise on the Mount Locker Ransomware tactical changes. For more, check out the Endpoint Security Buyer’s Guide. Alternatively, check out the Solutions Suggestion Engine.