The Mount Locker ransomware is rebranding into “AstroLocker” and has added more sophisticated scripting and anti-prevention features, according to GuidePoint Security researchers.
According to the cybersecurity firm, Mount Locker has evolving swiftly since its appearance on the ransomware-as-a-service scene in the second half of 2020.
Since then, the group upgraded its targeting techniques and added improved detection evasion. In a most recent major update, researchers observed “an aggressive shift in Mount Locker’s tactics” which they described in an analysis released Thursday by GuidePoint Security.
Mount Locker uses the double-extortion scheme, and in the past, they had demanded multimillion-dollar ransoms and stole especially large amounts of data (up to 400 GB).
Mount Locker toolset includes legitimate tools AdFind and Bloodhound for Active Directory and user reconnaissance, FTP for file exfiltration, and CobaltStrike and psExec for lateral movement and the delivery and encryption.
“After the environment is mapped, backup systems are identified and neutralized, and data is harvested, systems are encrypted with target-specific ransomware delivered via the established command-and-control channels (C2),” said Drew Schmitt, senior threat intelligence analyst for GuidePoint. “These payloads include executables, extensions and unique victim IDs for payment.”
In more recent campaigns, attackers used new batch scripts that disable detection and prevention tools.
“[This] indicates that Mount Locker is increasing its capabilities and is becoming a more dangerous threat,” according to Schmitt. “These scripts were not just blanket steps to disable a large swath of tools, they were customized and targeted to the victim’s environment.”
Another upgrade revolves around using multiple CobaltStrike servers with unique domains to improve detection evasion.
Researchers note the group prefers to target the biological tech industry and other healthcare-adjacent industries.
“Biotech companies, in particular, are a prime target for ransomware because of their position in an industry flush not only with cash but also with highly sensitive IP,” Schmitt explained. “Additionally, connections to other research organizations increase the potential to damage the victim’s reputation in the industry and put business dealings at risk.”