A relatively new form of MountLocker ransomware appears to be quickly signing up affiliates that are launching attacks targeting a wide variety of data types with greater frequency.
The Blackberry Research and Intelligence Team has issued a report noting that lightweight MountLocker ransomware was updated last month to both broaden the targeting of file types and better evade security software.
Cybercriminals are combining MountLocker, which is less than 100Kb in size, with malware such as AdFind to perform network reconnaissance and CobaltStrike Beacon to spread that malware laterally once it is installed.See how cybercriminals are combining #MountLocker #ransomware with other #malware to help it spreadClick To Tweet
MountLocker is distributed via a ransomware-as-a-service platform that enables files to be encrypted using ChaCha20 algorithms. The file encryption keys, meanwhile, are encrypted using the RSA-2048 cryptographic scheme. The report notes most of the attacks that employ MountLocker are usually employing IT tools based on the remote desktop protocol (RDP), which they have gained access to via compromised credentials. Those credentials were most likely gained via a successful phishing campaign or simply purchased on the Dark Web.
The BlackBerry security team reports there are no trivial MountLocker weaknesses that would allow for easy key recovery and decryption of data. The team does point out, however, that MountLocker uses a cryptographically insecure method for key generation that may be prone to attack.
The report also notes affiliates are employing MountLocker to exfiltrate sensitive client data via FTP prior to encryption. That suggests cybercriminals using this attack vector will threaten to make sensitive data public unless ransomware demands are met. In fact, recent reports indicate the amount of ransom being demanded to provide the keys needed to decrypt files is steadily increasing. A report issued by CrowdStrike estimates that 81% of the attacks it investigated that were deemed to be financially motivated attacks involved either ransomware or some type of precursor to a ransomware attack.
Keeping up with evolving ransomware attacks
Regardless of how ransomware is distributed or by whom, it has become big business. In the absence of any way to completely thwart these attacks, it’s more important than ever for organizations to have pristine copies of data that can be reliably recovered in the event critical files are suddenly encrypted. The relationship between cybersecurity and backup and recovery continues to tighten as organizations start to focus more on automating the recovery process given their inability to obliterate ransomware attacks the seem to be continually evolving. A recent session at the online Black Hat Europe conference described how ransomware attacks are not only proliferating, but the cybercriminals launching these attacks are gaining access to corporate networks faster as they adopt techniques pioneered by purveyors of attacks involving advanced persistent threats (APTs).
Of course, it has never been advisable to give in to the ransomware demands of cybercriminals. Most of them are still likely to sell data they went to the trouble of exfiltrating even after a ransomware demand is met. Nevertheless, for a variety of reasons, there are plenty of individuals and organizations that continue to pay the ransom to recover data even though all that does is provide cybercriminals with the resources required to launch yet another attack.
Short of laws that make it illegal to pay such ransoms in the name of the greater good, however, it appears ransomware will continue to plague businesses as long as allowed.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.