There’s a new threat to watch out for when it comes to ransomware, dubbed MountLocker, based on a recent report published by the BlackBerry Research and Intelligence Team. Discovered, tracked, and researched by the BlackBerry Incident Response Team, the malware is particularly malicious.
That’s because MountLocker works as a Ransomware-as-a-Service (RaaS). So it’s not malware that’s been created and distributed traditionally. Instead, active since July according to the BlackBerry team, it’s distributed via the cloud after an affiliate instigates an initial attack. After the affiliate breaches and compromises a system.
MountLocker is Ransomware-as-a-Service, BlackBerry says
As with all ransomware, MountLocker is intended to force victims to pay in order to get back private data and prevent public exposure, BlackBerry says. But since it’s Ransomware-as-a-Service (RaaS), it’s not necessarily designed by those who are using it. Instead, it’s used by MountLocker affiliates, distributed during another breach or attack.
Affiliates were seen by BlackBerry’s team using other off-the-shelf tools and technology such as CobaltStrike Beacon to deploy the ransomware. They then extracted sensitive client data over FTP and encrypted it. The blackmail and extortion typically associated with ransomware followed that.
But because this is RaaS and accessed via an affiliate program, it isn’t necessarily limited to select regions or limited in reach either. Targetting is, BlackBerry says, “geographically diverse and becoming more prominent.”
How can you circumvent this?
For now, BlackBerry hasn’t outlined recommendations for preventing or overcoming MountLocker, as of this writing.
Mountware is encrypted using ChaCha20 and file encryption keys are encrypted using RSA-2048. So there are no trivial weaknesses, BlackBerry’s team says, making key recovery and decryption without paying off affiliates a challenge. MountLocker does use an insecure method for the key generation that may be prone to attack, though. And that could ultimately help in terms of solutions to an attack and preventative measures.
Moreover, MountLocker was updated in November to broaden target file types and better evade security software. Although BlackBerry says its own security solutions do a good job of stopping this type of malware from being installed, to begin with.