Mount Locker Ransomware
A new ransomware threat being weaponized against business organizations has been detected by infosec researchers. Called the Mount Locker Ransomware, this piece of malware has been equipped with several new tricks when the end goal is to extort money from its victims.
Table of Contents
The Mount Locker Ransomware Demands Millions for Decryption
The hackers behind the Mount Locker Ransowmare target business entities primarily. They breach the corporate network of their victims and deploy the Mount Locker Ransomware threat. Once inside, the Mount Locker Ransomware proceeds to lock the files stored on the computer, as well as any connected storage devices with an uncrackable combination of encryption algorithms. Before that, however, the Mount Locker Ransomware exfiltrates huge chunks of the victim's data and threatens to start leaking it on a website under the control of the cybercriminals unless their demands are met. In one case, around 400 GB of data had been collected by the Mount Locker Ransomware and were uploaded to the data leak website subsequently, when the victim decided not to pay. This is understandable when considering that the hackers wanted to receive a ransom of $2 million in Bitcoin in some reported cases.
The Files Encrypted by the Mount Locker Ransomware cannot be Brute-Forced
When cybersecurity experts took a look at the underlying code of the Mount Locker Ransomware, they uncovered that the threat was using a combination of encryption algorithms that couldn't be bypassed without having the decryption code. The data itself is encrypted with the ChaCha20 algorithm, one of the Salsa20 stream cipher's successor variants. In turn, an embedded RSA-2048 public key is used to encrypt the ChaCha20 decryption key.
This Week In Malware Episode 25 Part 2: Mount Locker Ransomware Attacks Computers Seeking Million Dollar Ransoms
The Mount Locker Ransomware modifies every encrypted file's original filename by appending 'ReadManual' followed by a characteres' string representing the unique ID assigned to the victim. The ransom note with instructions is dropped as a file named 'RecoveryManual.html.' The Mount Locker Ransomware tampers with the Registry to ensure that the ransom note is displayed every time one of the encrypted files is clicked. The command it uses is:
'HKCU\Software\Classes\.C77BFF8C\shell\Open\command\ @="explorer.exe RecoveryManual.html'
Victims of this ransomware are asked to visit a website created by the hackers behind Mount Locker that can only be reached through the Tor browser. The website itself contains little more than a chat function. Affected users are offered the opportunity to have two or three files decrypted for free.
The full text of the ransom note is:
/!\ YOUR COMPANY' NETWORK HAS BEEN HACKED /!\
All your important files have been encrypted and copied to our private servers!
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.
But keep calm! There is a solution for your problem!
For some money reward we can decrypt all your encrypted files.
Also we will delete all your private data from our servers.
To prove that we are able to decrypt your files we give you the ability to decrypt 2-3 files for free.
So what is you next step ? Contact Us! Contact us for price and get decryption software.
* Note that you need installed Tor Browser to open this kind of links.
Follow the instructions to install/run Tor Browser:
1. Go to Tor Project using your default browser.
2. Click "Download Tor Browser", choose version depends on you operation system, usually it is Windows. Download and install it
3. After installation you will see new folder on your desktop: "Tor Browser". Open this folder and run "Start Tor Browser" link.
4. Using Tor Browser go to
5. Carefully copy your client id from this document and paste it into Authorization window in opened page. Click 'OK'.
6. After that you will see a special chat web application to comminicate with us.
7. NB! Please be patient - sometimes our support team can be away from the keyboard but they will answear you as soon as possible! Time is Money! Contact us as soon as possible.
We won't store you decryption key forever!'
The Tor site listed in the ransom note is a chat service where victims can talk to the hackers to ask questions or negotiate a ransom. Unfortunately for victims, the ransomware is entirely secure. There is currently no way to unlock the encrypted data for free.
How to Protect Against Mount Locker
Computer and security experts should ensure that everyone connected to the network understands the risks of ransomware and other viruses. Even the most robust security program is only as strong as the weakest link. It takes just one naïve person clicking on the wrong link to bring down the entire system. Put protections in place and make sure people follow safety protocols.
Corporations should also keep regular backups of the most important files on the system. What counts as the “most important” can vary between organizations, but you should feel sure that you can always get your files back. Having extra copies of essential data means you aren’t pressured into paying the ransom.
Keep the backups offline and in separate locations. It’s best if you can keep them offsite. Either way, they should be separated from the network and systems. Cloud backups work fine as well, so long as it is secure. Ransomware threats like Mount Locker are programmed to look for backups and erase them. Even connecting a backup device before removing the ransomware could be enough to destroy the backup.
The more copies you have of the data – and the more spread out those copies are – the better. Don’t rely on having one or two copies on one or two devices. The same applies to cloud services. Don’t assume everything is safe because you have multiple copies but store them all with a single cloud service.