The operators behind new ransomware dubbed Mount Locker have adopted the same tactic of other gangs threatening the victims to leak stolen data.

A new ransomware gang named Mount Locker has started its operations stealing victims’ data before encrypting.

According to BleepingComputer, the ransomware operators are demanding multi-million dollar ransoms.

Like other ransomware operators, Mount Locker started targeting corporate networks, it has been active since the end of July 2020.

“From ransom notes shared with BleepingComputer by victims, the Mount Locker gang is demanding multi-million dollar ransom payments in some cases.” reported BleepingComputer.

Mount Locker ransom note (Source BleepingComputer)In one of the attacks attributed to the group, the gang stole 400 GB of data from the victim and threatened it to share them with the its competitors, the media outlets, and TV channels, if the ransom is not paid.

The victim decided to not pay the ransom and the group published its data on its data leak site.

Currently, the data leak site includes the name of other alleged victims, and for one of them, it contained the leaked files.

Recently the ransomware operators claimed to have stolen the files from ThyssenKrupp System Engineering, from security company Gunnebo, and the provider of Nitonol components Memry, and Makalot.

#MountLocker #Ransomware claimed ThyssenKrupp System Engineering as a victim ThyssenKrupp is a tech holding company with global reach, producing steel and other products for a variety of industries.161k employees, $46 Billion revenue pic.twitter.com/4nIWarR9G3— Ransom Leaks (@ransomleaks) September 25, 2020
#MountLocker #Ransomware claimed Gunnebo as a victim and claimed to steal source code, HR, and financial dataGunnebo, founded in 1764 in Sweden, is a security company specializing in security products, services, and software solutions4k employees, $860m revenue pic.twitter.com/sCdRFZwMwz— Ransom Leaks (@ransomleaks) September 25, 2020
#MountLocker claimed Memry as a victim.Established in 1983, Memry is HQ’d in Connecticut. They provide Nitonol components including products for laser cutting, grinding and surface finishing.$108m revenue, 400 employees pic.twitter.com/p8MNDC8hev— Ransom Leaks (@ransomleaks) September 25, 2020
#MountLocker #Ransomware claimed Makalot Industrial Co. as a victim. Makalot is a leader in the garmenting industry with customers like @walmart @UnderArmour @ASICSamerica @SKECHERSUSA @TOMS @Gap33k employees, $741m revenue pic.twitter.com/Qkstd5SBJC— Ransom Leaks (@ransomleaks) September 25, 2020According to the popular malware researchers Michael Gillespie, the Mount Locker uses ChaCha20 to encrypt the files and an embedded RSA-2048 public key to encrypt the encryption key.

The malware appends the extension .ReadManual.ID to the filenames of the encrypted files.

The ransom note, named RecoveryManual.html, includes instructions on how to access a Tor site, which is a chat service, that allows victims to communicate with the ransomware operators.

Experts confirmed that the encryption process implemented by the ransomware is not affected by any flaw, this means that it is not possible to recover the victims’ files for free.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Mount Locker ransomware operators demand multi-million dollar ransoms appeared first on Security Affairs.