Mount Locker (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.mount_locker (Back to overview)

Mount Locker

aka: DagonLocker, MountLocker, QuantumLocker

Actor(s): Vanilla Tempest

VTCollection

According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020
The MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.
Victim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.
The ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.

References

2024-04-29 ⋅ The DFIR Report ⋅ The DFIR Report
From IcedID to Dagon Locker Ransomware in 29 Days
IcedID Mount Locker

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-04-03 ⋅ The DFIR Report ⋅ The DFIR Report
Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2022-11-28 ⋅ The DFIR Report ⋅ The DFIR Report
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
Emotet Mount Locker

2022-11-10 ⋅ Intezer ⋅ Nicole Fishbein
How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot

2022-10-25 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence
DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
BlackCat Mount Locker PortStarter Zeppelin Vanilla Tempest

2022-10-10 ⋅ RiskIQ ⋅ Microsoft Threat Intelligence Center (MSTIC)
DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin

2022-09-14 ⋅ SecurityScorecard ⋅ Vlad Pasca
A Detailed Analysis of the Quantum Ransomware
Mount Locker

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-05-19 ⋅ IBM ⋅ Charlotte Hammond, Golo Mühr, Ole Villadsen
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker WIZARD SPIDER

2022-05-09 ⋅ Cybereason ⋅ Lior Rochberger
Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker

2021-10-15 ⋅ Trend Micro ⋅ Fernando Mercês
Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker

2021-08-04 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
[QuickNote] MountLocker – Some pseudo-code snippets
Mount Locker

2021-08-04 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team, CrowdStrike IR, Falcon OverWatch Team
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker Prophet Spider

2021-07-14 ⋅ Intel 471 ⋅ Intel 471
How cybercriminals create turbulence for the transportation industry
Mount Locker Nefilim

2021-06-23 ⋅ Symantec ⋅ Threat Hunter Team
Ransomware: Growing Number of Attackers Using Virtual Machines
Mount Locker

2021-05-23 ⋅ Chuongdong blog ⋅ Chuong Dong
MountLocker Ransomware
Mount Locker

2021-05-18 ⋅ Github (Finch4) ⋅ Finch
Analysis of MountLocker
Mount Locker

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-04-23 ⋅ GuidePoint Security ⋅ Drew Schmitt
Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation
Mount Locker

2021-03-31 ⋅ Sophos ⋅ Michael Heller
Sophos MTR in Real Time: What is Astro Locker Team?
Mount Locker

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2020-12-23 ⋅ Dissecting Malware ⋅ Marius Genheimer
Between a rock and a hard place - Exploring Mount Locker Ransomware
Mount Locker

2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker

2020-11-19 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Mount Locker ransomware now targets your TurboTax tax returns
Mount Locker

2020-11-13 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Biotech research firm Miltenyi Biotec hit by ransomware, data leaked
Mount Locker

2020-09-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Mount Locker ransomware joins the multi-million dollar ransom game
Mount Locker

Yara Rules

[TLP:WHITE] win_mount_locker_auto (20241030 | Detects win.mount_locker.)

rule win_mount_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.mount_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 498be8 4d8bc8 4c8bc2 4c8bf2 }
            // n = 4, score = 500
            //   498be8               | dec                 esp
            //   4d8bc8               | lea                 eax, [esp + 0x30]
            //   4c8bc2               | dec                 eax
            //   4c8bf2               | and                 dword ptr [esp + 0x20], 0

        $sequence_1 = { f30f5905???????? 0f5ad0 66490f7ed0 e8???????? }
            // n = 4, score = 500
            //   f30f5905????????     |                     
            //   0f5ad0               | inc                 ebp
            //   66490f7ed0           | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_2 = { 488b0b 41b902000000 4533c0 33d2 }
            // n = 4, score = 500
            //   488b0b               | dec                 eax
            //   41b902000000         | mov                 ecx, dword ptr [esp + 0x58]
            //   4533c0               | xor                 edx, edx
            //   33d2                 | mov                 dword ptr [esp + 0x30], 1

        $sequence_3 = { 4533c9 488b4c2458 33d2 c744243001000000 }
            // n = 4, score = 500
            //   4533c9               | mov                 esi, edx
            //   488b4c2458           | mov                 esi, ecx
            //   33d2                 | xor                 edx, edx
            //   c744243001000000     | xor                 ecx, ecx

        $sequence_4 = { 4c8bc2 4c8bf2 8bf1 33d2 }
            // n = 4, score = 500
            //   4c8bc2               | dec                 esp
            //   4c8bf2               | mov                 eax, edx
            //   8bf1                 | dec                 esp
            //   33d2                 | mov                 esi, edx

        $sequence_5 = { 488d4df0 4889442428 4533c9 4533c0 }
            // n = 4, score = 500
            //   488d4df0             | mov                 ecx, eax
            //   4889442428           | dec                 esp
            //   4533c9               | mov                 eax, edx
            //   4533c0               | dec                 esp

        $sequence_6 = { 8bc8 81e10000ffff 81f900000780 7503 0fb7c0 }
            // n = 5, score = 500
            //   8bc8                 | mov                 ebp, eax
            //   81e10000ffff         | dec                 ebp
            //   81f900000780         | mov                 ecx, eax
            //   7503                 | dec                 esp
            //   0fb7c0               | mov                 eax, edx

        $sequence_7 = { 4c8b05???????? 488bcb 488b15???????? e8???????? 85c0 }
            // n = 5, score = 500
            //   4c8b05????????       |                     
            //   488bcb               | mov                 esi, ecx
            //   488b15????????       |                     
            //   e8????????           |                     
            //   85c0                 | xor                 edx, edx

        $sequence_8 = { 7505 e8???????? 833d????????00 7409 833d????????00 7505 e8???????? }
            // n = 7, score = 300
            //   7505                 | mov                 ecx, dword ptr [esp + 0x58]
            //   e8????????           |                     
            //   833d????????00       |                     
            //   7409                 | xor                 edx, edx
            //   833d????????00       |                     
            //   7505                 | mov                 dword ptr [esp + 0x30], 1
            //   e8????????           |                     

        $sequence_9 = { ff15???????? 85c0 7509 f0ff05???????? }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, edx
            //   7509                 | dec                 esp
            //   f0ff05????????       |                     

        $sequence_10 = { 415e 5f 5e c3 488bc4 48895010 4c894018 }
            // n = 7, score = 300
            //   415e                 | xor                 ecx, ecx
            //   5f                   | dec                 eax
            //   5e                   | mov                 ecx, dword ptr [esp + 0x58]
            //   c3                   | xor                 edx, edx
            //   488bc4               | mov                 dword ptr [esp + 0x30], 1
            //   48895010             | dec                 ecx
            //   4c894018             | mov                 ebp, eax

        $sequence_11 = { 6a01 ff15???????? 8d4538 50 68???????? }
            // n = 5, score = 100
            //   6a01                 | mov                 dword ptr [esp + 0x3c], 2
            //   ff15????????         |                     
            //   8d4538               | dec                 ebp
            //   50                   | mov                 ecx, eax
            //   68????????           |                     

        $sequence_12 = { 83ef01 75ec 6a20 59 8a06 884620 46 }
            // n = 7, score = 100
            //   83ef01               | mov                 esi, ecx
            //   75ec                 | xor                 edx, edx
            //   6a20                 | dec                 esp
            //   59                   | lea                 eax, [esp + 0x30]
            //   8a06                 | dec                 eax
            //   884620               | and                 dword ptr [esp + 0x20], 0
            //   46                   | inc                 ebp

        $sequence_13 = { 68???????? e8???????? 8d45c0 50 ff750c }
            // n = 5, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   8d45c0               | mov                 dword ptr [esp + 0x3c], 2
            //   50                   | dec                 eax
            //   ff750c               | lea                 ecx, [ebp - 0x10]

        $sequence_14 = { 6815020100 6a08 83ceff ff15???????? 50 }
            // n = 5, score = 100
            //   6815020100           | dec                 esp
            //   6a08                 | mov                 eax, edx
            //   83ceff               | dec                 esp
            //   ff15????????         |                     
            //   50                   | mov                 esi, edx

        $sequence_15 = { 68???????? 6a01 e8???????? 83c40c 5e c3 56 }
            // n = 7, score = 100
            //   68????????           |                     
            //   6a01                 | xor                 ecx, ecx
            //   e8????????           |                     
            //   83c40c               | dec                 eax
            //   5e                   | mov                 ecx, dword ptr [esp + 0x58]
            //   c3                   | xor                 edx, edx
            //   56                   | mov                 dword ptr [esp + 0x30], 1

    condition:
        7 of them and filesize < 368640
}

Download all Yara Rules

Mount Locker Propose Change

References

Yara Rules

Mount Locker