Researchers have discovered Mount Locker ransomware now targets Windows Active Directory APIs to worm or spread its way through networks.
Mount Locker was first spotted back in July 2020 as a Ransomware-as-a-Service (RaaS) and has quickly evolved its capabilities into a formidable threat.
Last November, cybersecurity experts found the ransomware was targeting TurboTax tax returns. Moreover, the developers then added just last month scripting and “counter-IR” capabilities that are designed to disable detection and prevention tools.
As reported by BleepingComputer on May 19, Mount Locker now appears to have added a new worm feature used to spread and encrypt other devices on the network.
“After sharing the sample with Advanced Intel CEO Vitali Kremez, it was discovered that MountLocker is now using the Windows Active Directory Service Interfaces API as part of its worm feature,” Lawrence Abrams of BleepingComputer wrote.
“The ransomware first uses the NetGetDCName() function to retrieve the name of the domain controller. Then it performs LDAP queries against the domain controller’s ADS using the ADsOpenObject() function with credentials passed on the command line.”
Furthermore, Mount Locker uses the API to then discover other devices on the compromised Windows domain and then encrypt those devices using stolen domain credentials.
Kremez told BleepingComputer that the developer likely had a previous Windows domain administrator experience based on how widely used this API is by Windows network administrators.
- CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance)
- Pipeline ransomware attack shuts down 45% of East Coast’s fuel (US passes emergency waiver, systems restarted) – updated
- Threat actors use FiveHands Ransomware and SombRAT in new cyberattack
- Alert: Qlocker and eCh0raix ransomware attacks against QNAP NAS devices
- CISA publishes reports on DearCry ransomware and China Chopper Web Shell malware linked to Exchange Server exploits (update-2)