MountLocker Ransomware Uses Windows Active Directory API to Worm Networks

MountLocker Ransomware Uses Windows Active Directory API to Worm Networks

The MountLocker ransomware gang has reportedly added enterprise Windows Active Directory APIs to their means of spreading through networks. A cybersecurity expert calls this shift a quantum leap for corporate network exploitation. 

MountLocker is a Ransomware-as-a-Service (RaaS) that has been operating since July 2020. The malware went through a series of transformations as different hacker groups modified it to suit their needs. Since March 2021, a new group ransomware group Astro Locker has been using a customized version of the MountLocker ransomware paired with their own payment and data leak sites.

This month, the third group XingLocker emerged who is also using a customized version of MountLocker. Finally, this week, MalwareHunterTeam shared a sample that looked like a new MountLocker executable. In this variant, the ransomware got a new worm feature so that it could spread and to other devices on the network and encrypt them.

BleepingComputer researchers analyzed the malware and confirmed it was a customized sample for the XingLocker team. Attackers can enable the worm feature “by running the malware sample with the /NETWORK command-line argument.”

Further analysis by Advanced Intel CEO Vitali Kremez revealed that MountLocker’s worm feature is relying on the Windows Active Directory Service Interfaces API. By abusing the API, the attackers can find all devices on the compromised Windows domain and encrypt them using stolen domain credentials.

The ransomware tries to connect to the Active Directory services, and once it does, it will search the database for objects of ‘objectclass=computer.’ For each object it finds, MountLocker will attempt to copy the malware executable to ‘\C$\ProgramData’ folder on the remote device. It will then remotely create a Windows service that will deploy the executable so that the ransomware can encrypt the device. 

“Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan,” Kremez told BleepingComputer.

“This is the quantum shift of professionalizing ransomware development for corporate network exploitation.” 

Kremez believes the author of this code likely has some Windows domain administration experience because Windows network administrators often use this API.

While other malware also used this API, for example, TrickBot, MountLocker may be the first enterprise ransomware “for professionals” to use these APIs to worm other devices.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.