A new ransomware gang named Mount Locker has started its operations stealing victims’ data before encrypting.
According to BleepingComputer, the ransomware operators are demanding multi-million dollar ransoms.
Like other ransomware operators, Mount Locker started targeting corporate networks, it has been active since the end of July 2020.
“From ransom notes shared with BleepingComputer by victims, the Mount Locker gang is demanding multi-million dollar ransom payments in some cases.” reported BleepingComputer.
In one of the attacks attributed to the group, the gang stole 400 GB of data from the victim and threatened it to share them with the its competitors, the media outlets, and TV channels, if the ransom is not paid.
The victim decided to not pay the ransom and the group published its data on its data leak site.
Currently, the data leak site includes the name of other alleged victims, and for one of them, it contained the leaked files.
Recently the ransomware operators claimed to have stolen the files from ThyssenKrupp System Engineering, from security company Gunnebo, and the provider of Nitonol components Memry, and Makalot.
According to the popular malware researchers Michael Gillespie, the Mount Locker uses ChaCha20 to encrypt the files and an embedded RSA-2048 public key to encrypt the encryption key.
The malware appends the extension .ReadManual.ID to the filenames of the encrypted files.
The ransom note, named RecoveryManual.html, includes instructions on how to access a Tor site, which is a chat service, that allows victims to communicate with the ransomware operators.
Experts confirmed that the encryption process implemented by the ransomware is not affected by any flaw, this means that it is not possible to recover the victims’ files for free.
(SecurityAffairs – hacking, ransomware)