MountLocker Ransomware Is Now Using the Windows API
The Ransomware Operation Uses Enterprise Windows Active Directory APIs to Worm Through Networks.
Last updated on May 20, 2021
MountLocker is a Ransomware as a Service operation, RaaS, that started operating in July 2020.
In the RaaS business model, the developers are in charge of programming the ransomware software and payment site, and in order to create revenue, affiliates are recruited to hack and encrypt devices belonging to businesses.
MountLocker core team receives a smaller cut of 20-30% of a ransom payment and the affiliate gets the rest, as part of this arrangement.
In March 2021, ‘Astro Locker’ ransomware group emerged and started using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites.
“It’s not a rebranding, probably we can define it as an alliance,” Astro Locker declared for the news publication BleepingComputer when questioned about their connection to MountLocker.
But Astro Locker is not the only ransomware group that uses a customized MountLocker ransomware executable, as in May 2021, a third group called ‘XingLocker’ also appeared on the market.
MalwareHunterTeam had recently shared a sample of what is believed to be a new MountLocker executable containing a new worm feature that allows it to spread and encrypt to other devices on the network, which seems to have been created especially for the XingLocker team.
An analysis ran by BleepingComputer showed that you could enable the worm feature by running the malware sample with the /NETWORK command-line argument, therefore coming to the conclusion that MountLocker is now using the Windows Active Directory Service Interfaces API as part of its worm feature.
MountLocker ransomware first uses the NetGetDCName() function in order to retrieve the name of the domain controller, after this action is completed it performs LDAP queries against the domain controller’s ADS using the ADsOpenObject() function with credentials passed on the command line.
Once it managed to connect to the Active Directory services, it will iterate over the database for objects of ‘objectclass=computer’, and for each and every object it finds, it will attempt to copy the ransomware executable to the remote device’s ‘\C$\ProgramData’ folder, in order to then remotely create a Windows service able to load the executable so it can proceed to encrypt the device.
By making use of this API, the ransomware is able to locate all devices that are part of the compromised Windows domain and encrypt them by using the stolen domain credentials.
Many corporate environments rely on complex active directory forests and computers within them. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan.
This is the quantum shift of professionalizing ransomware development for corporate network exploitation.
It’s interesting to note the fact that this API has been seen in other malware, such as TrickBot, but this may be the first corporate type ransomware for professionals that are using these APIs in order to perform built-in reconnaissance and spread to other devices.
Neutralize ransomware before it can hit.
Heimdal™ Ransomware Encryption Protection
Specifically engineered to counter the number one security risk to any business – ransomware.
Blocks any unauthorized encryption attempts;
Detects ransomware regardless of signature;
Universal compatibility with any cybersecurity solution;
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.