The MountLocker ransomware gang has reportedly added enterprise Windows Active Directory APIs to their means of spreading through networks. A cybersecurity expert calls this shift a quantum leap for corporate network exploitation.
MountLocker is a Ransomware-as-a-Service (RaaS) that has been operating since July 2020. The malware went through a series of transformations as different hacker groups modified it to suit their needs. Since March 2021, a new group ransomware group Astro Locker has been using a customized version of the MountLocker ransomware paired with their own payment and data leak sites.
This month, the third group XingLocker emerged who is also using a customized version of MountLocker. Finally, this week, MalwareHunterTeam shared a sample that looked like a new MountLocker executable. In this variant, the ransomware got a new worm feature so that it could spread and to other devices on the network and encrypt them.
BleepingComputer researchers analyzed the malware and confirmed it was a customized sample for the XingLocker team. Attackers can enable the worm feature “by running the malware sample with the /NETWORK command-line argument.”
Further analysis by Advanced Intel CEO Vitali Kremez revealed that MountLocker’s worm feature is relying on the Windows Active Directory Service Interfaces API. By abusing the API, the attackers can find all devices on the compromised Windows domain and encrypt them using stolen domain credentials.
The ransomware tries to connect to the Active Directory services, and once it does, it will search the database for objects of ‘objectclass=computer.’ For each object it finds, MountLocker will attempt to copy the malware executable to ‘\C$\ProgramData’ folder on the remote device. It will then remotely create a Windows service that will deploy the executable so that the ransomware can encrypt the device.
“Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan,” Kremez told BleepingComputer.
“This is the quantum shift of professionalizing ransomware development for corporate network exploitation.”
Kremez believes the author of this code likely has some Windows domain administration experience because Windows network administrators often use this API.
While other malware also used this API, for example, TrickBot, MountLocker may be the first enterprise ransomware “for professionals” to use these APIs to worm other devices.
