Mount Locker ransomware operators demand multi-million dollar ransoms

Pierluigi Paganini September 28, 2020

The operators behind new ransomware dubbed Mount Locker have adopted the same tactic of other gangs threatening the victims to leak stolen data.

A new ransomware gang named Mount Locker has started its operations stealing victims’ data before encrypting.

According to BleepingComputer, the ransomware operators are demanding multi-million dollar ransoms.

Like other ransomware operators, Mount Locker started targeting corporate networks, it has been active since the end of July 2020.

“From ransom notes shared with BleepingComputer by victims, the Mount Locker gang is demanding multi-million dollar ransom payments in some cases.” reported BleepingComputer.

Mount Locker
Mount Locker ransom note (Source BleepingComputer)

In one of the attacks attributed to the group, the gang stole 400 GB of data from the victim and threatened it to share them with the its competitors, the media outlets, and TV channels, if the ransom is not paid.

The victim decided to not pay the ransom and the group published its data on its data leak site.

Currently, the data leak site includes the name of other alleged victims, and for one of them, it contained the leaked files.

Recently the ransomware operators claimed to have stolen the files from ThyssenKrupp System Engineering, from security company Gunnebo, and the provider of Nitonol components Memry, and Makalot.

https://twitter.com/ransomleaks/status/1309512461654077441
https://twitter.com/ransomleaks/status/1309514131150700545
https://twitter.com/ransomleaks/status/1309515088081170432
https://twitter.com/ransomleaks/status/1309517513991036928

According to the popular malware researchers Michael Gillespie, the Mount Locker uses ChaCha20 to encrypt the files and an embedded RSA-2048 public key to encrypt the encryption key.

The malware appends the extension .ReadManual.ID to the filenames of the encrypted files.

The ransom note, named RecoveryManual.html, includes instructions on how to access a Tor site, which is a chat service, that allows victims to communicate with the ransomware operators.

Experts confirmed that the encryption process implemented by the ransomware is not affected by any flaw, this means that it is not possible to recover the victims’ files for free.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment