skip to Main Content

Cybercrime, MountLocker evolves and count on affiliate programs

Blackberry: The MountLocker ransomware is evolving. Last version has a reduced size, but a broaden target list

MountLocker ransomware is evolving. It has been discovered by Blackberry cybersecurity experts. The aim is to broaden the targeting of file types and evade security software, offering also double extortion capabilities to affiliates. Victim’s files, first are exfiltrated via FTP, and then encrypted using ChaCha20 (file encryption keys are encrypted using RSA-2048). The malware appears also to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack. Furthermore, the cybercime developers reduced the size of the 64-bit malware variant to 46KB (about 50% smaller). To get to this, they removed the file extension list with more than 2,600 entries targeted for encryption. It now targets a smaller list that excludes file types: .EXE, .DLL, .SYS, .MSI, .MUI, .INF, .CAT, .BAT, .CMD, .PS1, .VBS, .TTF, .FON, .LNK.

Back To Top