The MountLocker ransomware operation now makes use of enterprise Home windows Energetic Listing APIs to worm by way of networks.
MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS) the place builders are accountable for programming the ransomware software program and fee website, and associates are recruited to hack companies and encrypt their gadgets.
As a part of this association, the MountLocker core staff receives a smaller lower of 20-30% of a ransom fee, whereas the affiliate will get the remainder.
In March 2021, a brand new group ransomware group emerged known as ‘Astro Locker’ that started utilizing a custom-made model of the MountLocker ransomware with ransom notes pointing to their very own fee and knowledge leak websites.
“It isn’t a rebranding, in all probability we will outline it as an alliance,” Astro Locker instructed BleepingComputer after we requested about their connection to MountLocker.
Lastly, in Might 2021, a 3rd group emerged known as ‘XingLocker’ who additionally makes use of a custom-made MountLocker ransomware executable.
MountLocker worms its solution to different gadgets
This week, MalwareHunterTeam shared a pattern of what was believed to be a brand new MountLocker executable that comprises a brand new worm characteristic that permits it to unfold and encrypt to different gadgets on the community.
After putting in the pattern, BleepingComputer confirmed that it was a custom-made pattern for the XingLocker staff.
A short evaluation by BleepingComputer decided that you can allow the worm characteristic by working the malware pattern with the /NETWORK command-line argument. As this characteristic requires a Home windows area, our exams shortly failed, as proven under.
After sharing the pattern with Advanced Intel CEO Vitali Kremez, it was found that MountLocker is now utilizing the Home windows Active Directory Service Interfaces API as a part of its worm characteristic.
The ransomware first makes use of the NetGetDCName() operate to retrieve the identify of the area controller. Then it performs LDAP queries in opposition to the area controller’s ADS utilizing the ADsOpenObject() operate with credentials handed on the command line.
As soon as it connects to the Energetic Listing providers, it should iterate over the database for objects of ‘objectclass=pc’, as proven within the picture above.
For every object it finds, MountLocker will try to repeat the ransomware executable to the distant gadget’s ‘C$ProgramData’ folder.
The ransomware will then remotely create a Home windows service that masses the executable so it could proceed to encrypt the gadget.
Utilizing this API, the ransomware can discover all gadgets which might be a part of the compromised Home windows area and encrypt them utilizing stolen area credentials.
“Many company environments depend on complicated energetic listing forests and pc inside then. Now MountLocker is the primary recognized ransomware to leverage distinctive company architectural perception for the advantage of figuring out further targets for encryption operation outdoors of the traditional community and share scan,” Kremez instructed BleepingComputer in a dialog in regards to the malware.
“That is the quantum shift of professionalizing ransomware growth for company community exploitation.”
As Home windows community directors generally use this API, Kremez believes the risk actor who added this code probably has some Home windows area administration expertise.”
Whereas this API has been seen in different malware, equivalent to TrickBot, this can be the primary “company ransomware for professionals” to make use of these APIs to carry out built-in reconnaissance and spreading to different gadgets