MountLocker ransomware hackers upgrade covert approach

The ransomware-for-hire scheme is expanding.
Ransomware lock depiction
(Nattapon Kongbunmee / Getty Images)

BlackBerry researchers on Friday revealed new details about a ransomware strain that emerged this summer that hackers are peddling as a ransomware service for hire.

It is unclear who exactly is behind the ransomware, called MountLocker. Within the last month, though, the scammers behind the ransomware have updated it several times in an effort to bypass detection, according to the researchers.

MountLocker, which security professionals initially uncovered in July, according to the U.K. National Health Service Digital, tends to encrypt targets’ files like traditional ransomware strains. Affiliates now are using MountLocker to run extortion and blackmail schemes in an effort to compel larger payouts from victims, according to BlackBerry. In some cases, the ransom demands have been seven figures.

It’s the latest ransomware strain to take part in the extortion tactic, which the FBI and security researchers have been warning about for months.


MountLocker affiliates have largely relied on commercially available tools, such as AdFind, to conduct network reconnaissance, and a hacking tool known as Cobalt Strike Beacon, to spread laterally in victim networks, according to BlackBerry.

Affiliates typically use remote desktop tools and stolen credentials to gain access to targets, researchers say. BlackBerry did not share specific details about the victims.

Prior reports suggested that the MountLocker hackers were behind a recent cyberattack against Sonoma Valley Hospital, though the hacking group has denied involvement, according to Sonoma Valley Hospital attributed the attack to a suspected Russian “threat actor” earlier this week. 

Other reported victims include Swiss security firm Gunnebo, Germany-based ThyssenKrupp System Engineering, Germany-based biotechnology firm Miltenyi Biotec, U.S.-based manufacturer Memry and Taiwan-based Makalot, a garment manufacturer.

It is still early days for tracking MountLocker, says Allan Liska, an analyst at Recorded Future. “While other ransomware actors boast dozens or hundreds of victims on their extortion site, MountLocker has yet to crack double digits,” Liska said.


MountLocker remains worth observing because it expands the playing field for hackers who are interested in leveraging ransomware against targets, according to Liska.

“The problem is more with the affiliates who participate in their [ransomware-as-a-service] program, they tend to be inexperienced, especially when compared to … other offerings,” Liska said. “If the affiliates do manage to gain access the tools these teams use, such as AdFind and Cobalt Strike — tools used by most ransomware actors at this point — have become so easy to use that everything can be heavily scripted, giving even less experienced ransomware operators a chance at success.”

The BlackBerry researchers warned that the hackers have struck a range of targets, even if its public list of victims is much smaller.

“The site is currently listing five victims; we believe the actual number to be far greater,” the researchers write. “The MountLocker Operators are clearly just warming up. After a slow start in July they are rapidly gaining ground, as the high-profile nature of extortion and data leaks drive ransom demands ever higher.”

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts