SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mount_locker (Back to overview)

Mount Locker

There is no description at this point.

References
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9, author = {The BlackBerry Research & Intelligence Team}, title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}}, date = {2021-11-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/zebra2104}, language = {English}, urldate = {2021-11-08} } Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-10-18The DFIR ReportThe DFIR Report
@online{report:20211018:icedid:0b574b0, author = {The DFIR Report}, title = {{IcedID to XingLocker Ransomware in 24 hours}}, date = {2021-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/}, language = {English}, urldate = {2021-10-22} } IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-15Trend MicroFernando Mercês
@online{mercs:20211015:ransomware:c944933, author = {Fernando Mercês}, title = {{Ransomware Operators Found Using New "Franchise" Business Model}}, date = {2021-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html}, language = {English}, urldate = {2021-10-24} } Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-08-04CrowdStrikeFalcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
@online{team:20210804:prophet:e6e6a99, author = {Falcon OverWatch Team and CrowdStrike Intelligence Team and CrowdStrike IR}, title = {{PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity}}, date = {2021-08-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/}, language = {English}, urldate = {2021-09-02} } PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker
2021-08-04kienmanowar Blogm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20210804:quicknote:791df11, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] MountLocker – Some pseudo-code snippets}}, date = {2021-08-04}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/}, language = {English}, urldate = {2021-09-09} } [QuickNote] MountLocker – Some pseudo-code snippets
Mount Locker
2021-07-14Intel 471Intel 471
@online{471:20210714:how:0cf4b03, author = {Intel 471}, title = {{How cybercriminals create turbulence for the transportation industry}}, date = {2021-07-14}, organization = {Intel 471}, url = {https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry}, language = {English}, urldate = {2021-07-29} } How cybercriminals create turbulence for the transportation industry
Mount Locker Nefilim
2021-06-23SymantecThreat Hunter Team
@online{team:20210623:ransomware:d88988e, author = {Threat Hunter Team}, title = {{Ransomware: Growing Number of Attackers Using Virtual Machines}}, date = {2021-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines}, language = {English}, urldate = {2021-06-25} } Ransomware: Growing Number of Attackers Using Virtual Machines
Mount Locker
2021-05-23Chuongdong blogChuong Dong
@online{dong:20210523:mountlocker:4b3d011, author = {Chuong Dong}, title = {{MountLocker Ransomware}}, date = {2021-05-23}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/}, language = {English}, urldate = {2021-06-16} } MountLocker Ransomware
Mount Locker
2021-05-18Github (Finch4)Finch
@online{finch:20210518:analysis:434b2ec, author = {Finch}, title = {{Analysis of MountLocker}}, date = {2021-05-18}, organization = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker}, language = {English}, urldate = {2021-05-26} } Analysis of MountLocker
Mount Locker
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-23GuidePoint SecurityDrew Schmitt
@online{schmitt:20210423:mount:ccc9271, author = {Drew Schmitt}, title = {{Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation}}, date = {2021-04-23}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/}, language = {English}, urldate = {2021-04-28} } Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation
Mount Locker
2021-03-31SophosMichael Heller
@online{heller:20210331:sophos:43ef878, author = {Michael Heller}, title = {{Sophos MTR in Real Time: What is Astro Locker Team?}}, date = {2021-03-31}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/}, language = {English}, urldate = {2021-04-06} } Sophos MTR in Real Time: What is Astro Locker Team?
Mount Locker
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-23Dissecting MalwareMarius Genheimer
@online{genheimer:20201223:between:e482082, author = {Marius Genheimer}, title = {{Between a rock and a hard place - Exploring Mount Locker Ransomware}}, date = {2020-12-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html}, language = {English}, urldate = {2021-01-21} } Between a rock and a hard place - Exploring Mount Locker Ransomware
Mount Locker
2020-12-11BlackberryBlackBerry Research and Intelligence team
@online{team:20201211:mountlocker:9c495cb, author = {BlackBerry Research and Intelligence team}, title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}}, date = {2020-12-11}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates}, language = {English}, urldate = {2020-12-14} } MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker
2020-11-19Bleeping ComputerLawrence Abrams
@online{abrams:20201119:mount:0294998, author = {Lawrence Abrams}, title = {{Mount Locker ransomware now targets your TurboTax tax returns}}, date = {2020-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/}, language = {English}, urldate = {2020-11-23} } Mount Locker ransomware now targets your TurboTax tax returns
Mount Locker
2020-11-13Bleeping ComputerSergiu Gatlan
@online{gatlan:20201113:biotech:cbe6093, author = {Sergiu Gatlan}, title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}}, date = {2020-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/}, language = {English}, urldate = {2020-11-19} } Biotech research firm Miltenyi Biotec hit by ransomware, data leaked
Mount Locker
2020-09-24Bleeping ComputerLawrence Abrams
@online{abrams:20200924:mount:0456f2a, author = {Lawrence Abrams}, title = {{Mount Locker ransomware joins the multi-million dollar ransom game}}, date = {2020-09-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/}, language = {English}, urldate = {2020-10-02} } Mount Locker ransomware joins the multi-million dollar ransom game
Mount Locker
Yara Rules
[TLP:WHITE] win_mount_locker_auto (20211008 | Detects win.mount_locker.)
rule win_mount_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.mount_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d55e0 b904010000 ff15???????? 8bd8 }
            // n = 4, score = 300
            //   488d55e0             | dec                 eax
            //   b904010000           | sub                 esp, 0x20
            //   ff15????????         |                     
            //   8bd8                 | dec                 eax

        $sequence_1 = { 7423 488b0d???????? 4885c9 7417 488364242000 4c8d4c2468 448bc7 }
            // n = 7, score = 300
            //   7423                 | mov                 dword ptr [ebx + 8], esi
            //   488b0d????????       |                     
            //   4885c9               | mov                 dword ptr [ebx + 0x10], edi
            //   7417                 | test                eax, eax
            //   488364242000         | je                  0x8ff
            //   4c8d4c2468           | dec                 eax
            //   448bc7               | mov                 ecx, dword ptr [ebx + 0x20]

        $sequence_2 = { 85c0 743b 488b4d6f 488d4567 c744243000010000 4533c9 }
            // n = 6, score = 300
            //   85c0                 | dec                 eax
            //   743b                 | test                edi, edi
            //   488b4d6f             | je                  0x149f
            //   488d4567             | dec                 eax
            //   c744243000010000     | lea                 ecx, dword ptr [eax + 0x10]
            //   4533c9               | dec                 eax

        $sequence_3 = { 4533c0 c740d802000000 ba00000040 4533c9 ff15???????? }
            // n = 5, score = 300
            //   4533c0               | dec                 esp
            //   c740d802000000       | lea                 eax, dword ptr [0x4b54]
            //   ba00000040           | jmp                 0x366
            //   4533c9               | inc                 ecx
            //   ff15????????         |                     

        $sequence_4 = { 488bd3 ff15???????? 40f6c602 7423 488b0d???????? }
            // n = 5, score = 300
            //   488bd3               | mov                 ecx, edi
            //   ff15????????         |                     
            //   40f6c602             | inc                 ebp
            //   7423                 | movzx               ecx, word ptr [eax]
            //   488b0d????????       |                     

        $sequence_5 = { 7417 488364242000 4c8d4c2468 448bc7 488bd3 ff15???????? }
            // n = 6, score = 300
            //   7417                 | dec                 eax
            //   488364242000         | lea                 ecx, dword ptr [esp + 0x20]
            //   4c8d4c2468           | mov                 dl, 0x20
            //   448bc7               | inc                 esp
            //   488bd3               | lea                 eax, dword ptr [ebx + 0xf]
            //   ff15????????         |                     

        $sequence_6 = { 40f6c602 7423 488b0d???????? 4885c9 7417 488364242000 }
            // n = 6, score = 300
            //   40f6c602             | mov                 dword ptr [ecx + 0x8c], 0x6b206574
            //   7423                 | jne                 0xf99
            //   488b0d????????       |                     
            //   4885c9               | dec                 eax
            //   7417                 | add                 ecx, 0x20
            //   488364242000         | xor                 edx, edx

        $sequence_7 = { 4533c9 ff15???????? 488bf0 4883f8ff 7436 488364242000 4c8d4c2468 }
            // n = 7, score = 300
            //   4533c9               | mov                 dword ptr [esp], eax
            //   ff15????????         |                     
            //   488bf0               | mov                 eax, dword ptr [esp + 0x10]
            //   4883f8ff             | inc                 ecx
            //   7436                 | mov                 dword ptr [esp + 0x24], ecx
            //   488364242000         | mov                 eax, dword ptr [esp + 0x10]
            //   4c8d4c2468           | inc                 ecx

        $sequence_8 = { 488bc8 ff15???????? 85c0 7456 4c8d442434 }
            // n = 5, score = 300
            //   488bc8               | test                eax, eax
            //   ff15????????         |                     
            //   85c0                 | je                  0x50f
            //   7456                 | dec                 eax
            //   4c8d442434           | mov                 ecx, eax

        $sequence_9 = { ff15???????? 85c0 0f8461ffffff 33c9 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   85c0                 | jne                 0x7f
            //   0f8461ffffff         | inc                 ecx
            //   33c9                 | inc                 dword ptr [esp + 0xb4]

    condition:
        7 of them and filesize < 225280
}
Download all Yara Rules