MountLocker ransomware uses Windows API to worm through networks

The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks.

MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS) where developers are in charge of programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.

As part of this arrangement, the MountLocker core team receives a smaller cut of 20-30% of a ransom payment, while the affiliate gets the rest.

In March 2021, a new group ransomware group emerged called 'Astro Locker' that began using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites.

"It's not a rebranding, probably we can define it as an alliance," Astro Locker told BleepingComputer when we asked about their connection to MountLocker.

Finally, in May 2021, a third group emerged called 'XingLocker' who also uses a customized MountLocker ransomware executable.

MountLocker worms its way to other devices

This week, MalwareHunterTeam shared a sample of what was believed to be a new MountLocker executable that contains a new worm feature that allows it to spread and encrypt to other devices on the network.

After installing the sample, BleepingComputer confirmed that it was a customized sample for the XingLocker team.

A brief analysis by BleepingComputer determined that you could enable the worm feature by running the malware sample with the /NETWORK command-line argument.  As this feature requires a Windows domain, our tests quickly failed, as shown  below.

After sharing the sample with Advanced Intel CEO Vitali Kremez, it was discovered that MountLocker is now using the Windows Active Directory Service Interfaces API as part of its worm feature.

The ransomware first uses the NetGetDCName() function to retrieve the name of the domain controller. Then it performs LDAP queries against the domain controller's ADS using the ADsOpenObject() function with credentials passed on the command line.

Once it connects to the Active Directory services, it will iterate over the database for objects of 'objectclass=computer', as shown in the image above.

For each object it finds, MountLocker will attempt to copy the ransomware executable to the remote device's '\C$\ProgramData' folder.

The ransomware will then remotely create a Windows service that loads the executable so it can proceed to encrypt the device.

Using this API, the ransomware can find all devices that are part of the compromised Windows domain and encrypt them using stolen domain credentials.

"Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan," Kremez told BleepingComputer in a conversation about the malware.

"This is the quantum shift of professionalizing ransomware development for corporate network exploitation."

As Windows network administrators commonly use this API, Kremez believes the threat actor who added this code likely has some Windows domain administration experience."

While this API has been seen in other malware, such as TrickBot, this may be the first "corporate ransomware for professionals" to use these APIs to perform built-in reconnaissance and spreading to other devices