Security News > 2021 > May > MountLocker ransomware uses Windows API to worm through networks

The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks.
In March 2021, a new group ransomware group emerged called 'Astro Locker' that began using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites.
Finally, in May 2021, a third group emerged called 'XingLocker' who also uses a customized MountLocker ransomware executable.
After sharing the sample with Advanced Intel CEO Vitali Kremez, it was discovered that MountLocker is now using the Windows Active Directory Service Interfaces API as part of its worm feature.
For each object it finds, MountLocker will attempt to copy the ransomware executable to the remote device's 'C$ProgramData' folder.
"Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan," Kremez told BleepingComputer in a conversation about the malware.
News URL
Related news
- New VanHelsing ransomware targets Windows, ARM, ESXi systems (source)
- VanHelsing ransomware emerges to put a stake through your Windows heart (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)