“Mount Locker” is a ransomware strain that first appeared in July 2020. Like many malware gangs, attackers steal unencrypted data, lock up files, and threaten to leak the information unless they receive payment. Up to 400 GB of data can be stolen at once, and ransom demands are sometimes millions of dollars.

Mount Locker attacks have continued to escalate in 2021, and now the gang is adding alarming new capabilities that coincide with a rebranding to “AstroLocker.” These updates signal an aggressive shift in Mount Locker’s tactics that users must be aware of.

How Mount Locker Steals Data

Mount Locker uses legitimate, off-the-shelf tools to do its dirty work. These include:

AdFind and Bloodhound for Active Directory and user reconnaissance
File Transfer Protocol (FTP) for unauthorized data transfer
CobaltStrike for lateral movement
psExec for encryption delivery and execution

Once the attackers map out the environment, they identify and neutralize backup systems, harvest the data, and deliver target-specific ransomware.

Mount Locker Adds Sinister New Features

The most recent iteration of Mount Locker contains new batch scripts designed to disable malware detection and prevention tools. The scripts aren’t just blanket steps to disable a large swath of tools—they are customized and targeted to the victim’s environment. This latest tactic makes Mount Locker a more insidious threat than ever before.

Another tactical change involves using multiple CobaltStrike servers, each with a unique domain. This step further assists in evading detection, but it’s not commonly implemented because it requires more management to put into practice.

Mount Locker has also broadened its targeting capabilities, adding the means to search for file extensions utilized by TurboTax software.

Healthcare and Biotech Companies are Most at Risk

Since Mount Locker changed its tactics, incidents have surged, particularly among the biological technology and healthcare industries. This suggests that the operators may be explicitly targeting healthcare-related businesses.

These organizations are prime ransomware targets for several reasons:

The industry is flush with cash.
Biotech companies tend to collect and store highly sensitive intellectual property.
Connections to research organizations increase the potential damage to the victim’s reputation and business dealings if a data leak occurs.
Healthcare companies stand to lose the most if operations halt for too long or critical intellectual property is lost. Therefore, attackers view them as more likely to pay the ransom demand.

How to Guard Against Mount Locker, Rebranded to AstroLocker

No matter what name it goes by, Mount Locker is an undeniable threat. Companies can track signs of this ransomware within CobaltStrike stagers and beacons, and they should monitor file exfiltration via FTP.

For greater peace of mind against cyberattacks, partner with Red Panda Systems. As a cybersecurity expert, we provide advanced firewall protection, cybersecurity audits and assessments, monitoring services, and much more. Our customers rely on us for our responsiveness, communication, and trust. Don’t wait until you suspect a Mount Locker attack—contact us today to request a consultation and quote for cybersecurity services in Las Vegas.