Security News > 2021 > May > MountLocker ransomware uses Windows API to worm through networks
The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks.
In March 2021, a new group ransomware group emerged called 'Astro Locker' that began using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites.
Finally, in May 2021, a third group emerged called 'XingLocker' who also uses a customized MountLocker ransomware executable.
After sharing the sample with Advanced Intel CEO Vitali Kremez, it was discovered that MountLocker is now using the Windows Active Directory Service Interfaces API as part of its worm feature.
For each object it finds, MountLocker will attempt to copy the ransomware executable to the remote device's 'C$ProgramData' folder.
"Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan," Kremez told BleepingComputer in a conversation about the malware.