Mount Locker ransomware targets Windows APIs to spread through networks

Mount Locker ransomware targets Windows APIs to spread through networks

Researchers have discovered Mount Locker ransomware now targets Windows Active Directory APIs to worm or spread its way through networks.

Mount Locker was first spotted back in July 2020 as a Ransomware-as-a-Service (RaaS) and has quickly evolved its capabilities into a formidable threat.

Last November, cybersecurity experts found the ransomware was targeting TurboTax tax returns. Moreover, the developers then added just last month scripting and “counter-IR” capabilities that are designed to disable detection and prevention tools.

As reported by BleepingComputer on May 19, Mount Locker now appears to have added a new worm feature used to spread and encrypt other devices on the network.

“After sharing the sample with Advanced Intel CEO Vitali Kremez, it was discovered that MountLocker is now using the Windows Active Directory Service Interfaces API as part of its worm feature,” Lawrence Abrams of BleepingComputer wrote.

“The ransomware first uses the NetGetDCName() function to retrieve the name of the domain controller. Then it performs LDAP queries against the domain controller’s ADS using the ADsOpenObject() function with credentials passed on the command line.”

Furthermore, Mount Locker uses the API to then discover other devices on the compromised Windows domain and then encrypt those devices using stolen domain credentials.

Kremez told BleepingComputer that the developer likely had a previous Windows domain administrator experience based on how widely used this API is by Windows network administrators.

Related Articles