MountLocker ransomware uses Windows API to navigate the network
The MalwareHunterTeam team has announced a new version of MountLocker ransomware that has acquired a worm-like function and uses the Windows API.
MountLocker ransomware can now use Windows Active Directory corporate APIs to navigate networks and encrypt other devices.
MountLocker began operating in July 2020 as a service (RaaS), where developers are responsible for building ransomware software and a payment site, and affiliates are invited to hack into businesses and encrypt their devices.
“As part of this arrangement, the MountLocker core team receives a 20-30% share of the buyout and the affiliate receives the rest”, — journalists Bleeping Computer explained.
In March 2021, a new ransomware group called Astro Locker emerged and started using a customized version of MountLocker ransomware with ransom messages pointing to their own payment and leak sites.
Akhirnya, in May 2021, a third group emerged called XingLocker, which also uses a customized MountLocker ransomware executable.
This week, MalwareHunterTeam shared a sample of what is considered the new MountLocker executable and contains a new worm feature that allows it to spread across other devices on the network and encrypt data.
“This malware is a qualitative shift in the professional development of ransomware to exploit corporate networks”, — MalwareHunterTeam told.
The malware first uses the NetGetDCName () function to get the name of the domain controller. It then makes LDAP requests to the ADS domain controller using the ADsOpenObject () function with the credentials supplied on the command line. After connecting to Active Directory services, the ransomware searches the database for objects “objectclass = computer”.
For each object found, MountLocker will attempt to copy the executable file to the \C$\ProgramData folder on the remote device. The ransomware then remotely creates a Windows service that downloads an executable file to continue encrypting the device.
Using this API, the ransomware can find all devices that are part of the compromised Windows domain and encrypt them using the stolen domain credentials.
“MountLocker is the first known ransomware to use unique corporate network patterns to uncover additional encryption targets”, — Advanced Intel Director Vitali Kremez to BleepingComputer.
Because Windows network administrators typically use this API, the attacker who injected the code likely has some experience administering Windows domains, according to experts.
Although this API has been seen in other malware such as TrickBot, experts believe MountLocker may be considered the first “professional ransomware” to use these APIs to perform intelligence and propagation to other devices.
Read also: Virus NUSM – Cara Menghapus?