Windows API Used as a Doorway in a MountLocker Ransomware Operation


Threat actors are now using MountLocker ransomware via ‘Windows Active Directory enterprise APIs’ to target website developers and organizations. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS).

MountLocker core team receives a small portion of 20-30% of a ransom payment and the affiliate receives the remainder, as part of this tie-up. In March 2021, ‘Astro Locker’ ransomware group emerged and started using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites. 

"It's not a rebranding, probably we can define it as an alliance," Astro Locker told BleepingComputer when asked about its association to MountLocker. Eventually, in May 2021, a third group emerged called 'XingLocker' who additionally makes use of a personalized MountLocker ransomware executable. 

Earlier this week, MalwareHunterTeam shared a sample of what was believed to be a brand new MountLocker executable that incorporates a new worm feature that permits it to unfold and encrypt to different gadgets on the network. After installing the sample, BleepingComputer confirmed that it was a personalized pattern for the XingLocker workforce. 

A brief evaluation by BleepingComputer showed that you could enable the worm feature by running the malware sample with the /NETWORK command-line argument. As this feature requires a Windows. After sharing the sample with Superior Intel CEO Vitali Kremez, it was found that MountLocker is now using the Home windows Lively Listing Service Interfaces API as a part of its worm characteristic. 

"Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan," Kremez told BleepingComputer in a dialog about the malware.

“This is the quantum shift of professionalizing ransomware development for corporate network exploitation. As Windows network administrators commonly use this API, Kremez believes the threat actor who added this code likely has some Windows domain administration experience,” he further added. 

While this API has been seen in other malware, such as TrickBot, this may be the first corporate type ransomware for professionals that are using these APIs in order to perform built-in reconnaissance and spread to other devices.