What is the MountLocker Ransomware?

First observed in July 2020, the MountLocker ransomware attempts to extract seven-figure payments from its corporate victims.

Ransomware has become a multi-billion-dollar industry in recent years, with cybercriminals employing new techniques and expanding into new markets to maximise their profits. Ransomware is malicious software that infects a system, encrypts (and in some cases, steals) data, before demanding a ransom payment in return for the decryption key. The victim then has to decide whether to pay the ransom in exchange for the key, or restore their data from a backup if one is available. Not only can this be incredibly costly – the subject of this article, Mount Locker, typicslly demands a seven-figure sum – but there’s no guarantee that the promise will be fulfilled and the decryption key delivered. There’s also the issue of bowing to cybercriminals to consider; if more people pay up, then it will only encourage the practice of infecting systems. In recent years, the number of ransomware attacks has skyrocketed, as has the average ransom payment. In 2019, the average ransom payment more than doubled from $41,179 in Q3 to $86,116 in Q4, according to a study by Ransomware Marketplace.

MountLocker first emerged in July, with victims’ networks encrypted and a Bitcoin payment demanded in return for the decryption key. The cybercriminals also threaten to leak data stolen from the organisation unless the ransom is paid, piling even more pressure to bow to their demands. It has been noted that MountLocker is using some kind of affiliate network to find victims, made up of networks that have already been compromised. Once present on a system, MountLocker will first attempt to steal sensitive files, before encrypting non-system fules using ChaCha20. The ransom note, named RecoveryManual.html, contains instructions on how to contact the ransomware’s operators and decrypt the affected data.

MountLocker is taking advantage of common security vulnerabilities, so the best way to protect against it and other forms of ransomware is to have a strong password, make sure two-factor authentication is enabled, and that the latest security updates are installed. The only guaranteed way to recover data encrypted from a ransomware infection is to restore from a recent backup. To limit the impact of a potential ransomware infection, we’d advise to back-up your data regularly, to keep a least one backup offline.