SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mount_locker (Back to overview)

Mount Locker

aka: DagonLocker, MountLocker, QuantumLocker
VTCollection    

According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020
The MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.
Victim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.
The ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.

References
2024-04-29The DFIR ReportThe DFIR Report
From IcedID to Dagon Locker Ransomware in 29 Days
IcedID Mount Locker
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-04-03The DFIR ReportThe DFIR Report
Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2022-11-28The DFIR ReportThe DFIR Report
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
Emotet Mount Locker
2022-11-10IntezerNicole Fishbein
How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot
2022-10-25MicrosoftMicrosoft Security Threat Intelligence
DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
BlackCat Mount Locker Zeppelin Vanilla Tempest
2022-10-10RiskIQMicrosoft Threat Intelligence Center (MSTIC)
DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin
2022-09-14SecurityScorecardVlad Pasca
A Detailed Analysis of the Quantum Ransomware
Mount Locker
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-05-19IBMCharlotte Hammond, Golo Mühr, Ole Villadsen
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker WIZARD SPIDER
2022-05-09CybereasonLior Rochberger
Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-10-18The DFIR ReportThe DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-15Trend MicroFernando Mercês
Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-08-04kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] MountLocker – Some pseudo-code snippets
Mount Locker
2021-08-04CrowdStrikeCrowdStrike Intelligence Team, CrowdStrike IR, Falcon OverWatch Team
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker Prophet Spider
2021-07-14Intel 471Intel 471
How cybercriminals create turbulence for the transportation industry
Mount Locker Nefilim
2021-06-23SymantecThreat Hunter Team
Ransomware: Growing Number of Attackers Using Virtual Machines
Mount Locker
2021-05-23Chuongdong blogChuong Dong
MountLocker Ransomware
Mount Locker
2021-05-18Github (Finch4)Finch
Analysis of MountLocker
Mount Locker
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-23GuidePoint SecurityDrew Schmitt
Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation
Mount Locker
2021-03-31SophosMichael Heller
Sophos MTR in Real Time: What is Astro Locker Team?
Mount Locker
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-23Dissecting MalwareMarius Genheimer
Between a rock and a hard place - Exploring Mount Locker Ransomware
Mount Locker
2020-12-11BlackberryBlackBerry Research and Intelligence team
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker
2020-11-19Bleeping ComputerLawrence Abrams
Mount Locker ransomware now targets your TurboTax tax returns
Mount Locker
2020-11-13Bleeping ComputerSergiu Gatlan
Biotech research firm Miltenyi Biotec hit by ransomware, data leaked
Mount Locker
2020-09-24Bleeping ComputerLawrence Abrams
Mount Locker ransomware joins the multi-million dollar ransom game
Mount Locker
Yara Rules
[TLP:WHITE] win_mount_locker_auto (20230808 | Detects win.mount_locker.)
rule win_mount_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.mount_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81f900000780 7503 0fb7c0 3d2e050000 }
            // n = 4, score = 500
            //   81f900000780         | mov                 ecx, 2
            //   7503                 | inc                 ebp
            //   0fb7c0               | xor                 eax, eax
            //   3d2e050000           | xor                 edx, edx

        $sequence_1 = { f30f5905???????? 0f5ad0 66490f7ed0 e8???????? }
            // n = 4, score = 500
            //   f30f5905????????     |                     
            //   0f5ad0               | dec                 ebp
            //   66490f7ed0           | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_2 = { 4d8bc8 4c8bc2 4c8bf2 8bf1 }
            // n = 4, score = 500
            //   4d8bc8               | dec                 eax
            //   4c8bc2               | mov                 ecx, ebx
            //   4c8bf2               | dec                 ecx
            //   8bf1                 | mov                 ebp, eax

        $sequence_3 = { 8bc8 81e10000ffff 81f900000780 7503 }
            // n = 4, score = 500
            //   8bc8                 | dec                 ebp
            //   81e10000ffff         | mov                 ecx, eax
            //   81f900000780         | dec                 esp
            //   7503                 | mov                 eax, edx

        $sequence_4 = { 488b0b 41b902000000 4533c0 33d2 }
            // n = 4, score = 500
            //   488b0b               | dec                 ebp
            //   41b902000000         | mov                 ecx, eax
            //   4533c0               | dec                 esp
            //   33d2                 | mov                 eax, edx

        $sequence_5 = { 488d4df0 4889442428 4533c9 4533c0 }
            // n = 4, score = 500
            //   488d4df0             | inc                 ebp
            //   4889442428           | xor                 eax, eax
            //   4533c9               | xor                 edx, edx
            //   4533c0               | dec                 ecx

        $sequence_6 = { 488bcb 488b15???????? e8???????? 85c0 }
            // n = 4, score = 500
            //   488bcb               | dec                 eax
            //   488b15????????       |                     
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, ebx

        $sequence_7 = { 488364242000 4533c9 488b4c2458 33d2 c744243001000000 c744243c02000000 }
            // n = 6, score = 500
            //   488364242000         | test                eax, eax
            //   4533c9               | dec                 eax
            //   488b4c2458           | and                 dword ptr [esp + 0x20], 0
            //   33d2                 | inc                 ebp
            //   c744243001000000     | xor                 ecx, ecx
            //   c744243c02000000     | dec                 eax

        $sequence_8 = { 4c8bf2 8bf1 33d2 33c9 }
            // n = 4, score = 500
            //   4c8bf2               | mov                 ecx, dword ptr [esp + 0x58]
            //   8bf1                 | xor                 edx, edx
            //   33d2                 | mov                 dword ptr [esp + 0x30], 1
            //   33c9                 | mov                 dword ptr [esp + 0x3c], 2

        $sequence_9 = { ff15???????? 85c0 7509 f0ff05???????? }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, edx
            //   7509                 | dec                 esp
            //   f0ff05????????       |                     

        $sequence_10 = { b905000000 ff15???????? 3d040000c0 7494 85c0 }
            // n = 5, score = 300
            //   b905000000           | xor                 edx, edx
            //   ff15????????         |                     
            //   3d040000c0           | mov                 dword ptr [esp + 0x30], 1
            //   7494                 | dec                 ecx
            //   85c0                 | mov                 ebp, eax

        $sequence_11 = { 7505 e8???????? 833d????????00 7409 833d????????00 }
            // n = 5, score = 300
            //   7505                 | mov                 dword ptr [esp + 0x30], 1
            //   e8????????           |                     
            //   833d????????00       |                     
            //   7409                 | mov                 dword ptr [esp + 0x3c], 2
            //   833d????????00       |                     

        $sequence_12 = { 8d442430 68???????? 50 ffd7 }
            // n = 4, score = 100
            //   8d442430             | xor                 ecx, ecx
            //   68????????           |                     
            //   50                   | dec                 eax
            //   ffd7                 | and                 dword ptr [esp + 0x20], 0

        $sequence_13 = { a1???????? 83f804 7515 68???????? }
            // n = 4, score = 100
            //   a1????????           |                     
            //   83f804               | inc                 ebp
            //   7515                 | xor                 ecx, ecx
            //   68????????           |                     

        $sequence_14 = { 8bf0 85f6 7424 6800010000 }
            // n = 4, score = 100
            //   8bf0                 | dec                 eax
            //   85f6                 | mov                 ecx, dword ptr [esp + 0x58]
            //   7424                 | xor                 edx, edx
            //   6800010000           | mov                 dword ptr [esp + 0x30], 1

        $sequence_15 = { ff15???????? 85c0 7409 f0ff05???????? eb1e 56 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   85c0                 | dec                 esp
            //   7409                 | mov                 esi, edx
            //   f0ff05????????       |                     
            //   eb1e                 | mov                 esi, ecx
            //   56                   | xor                 edx, edx

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules