{
	"id": "d0082bfd-f55e-473f-bcd8-ef6c3b08a560",
	"created_at": "2026-04-06T02:13:15.57173Z",
	"updated_at": "2026-04-10T03:21:42.309249Z",
	"deleted_at": null,
	"sha1_hash": "142c470021e72aee4a972ff5d13f3f779f598409",
	"title": "Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 169158,
	"plain_text": "Mount Locker Ransomware Steps up Counter-IR Capabilities,\r\nHindering Efforts for Detection, Response and Investigation\r\nBy GuidePoint Security\r\nPublished: 2021-04-22 · Archived: 2026-04-06 01:32:39 UTC\r\n3 min read\r\nOver the past six weeks, GuidePoint Security threat researchers have noted a change in the tactics used by Mount\r\nLocker ransomware seen in recent engagements. \r\nMount Locker group first announced their ransomware-as-a-service offering in the second half of 2020, and\r\nattacks attributed to the variant have been on the rise since. In early November 2020, an update was released\r\nbroadening the types of files targeted and improving the ransomware’s ability to evade security measures. It also\r\nappears that Mount Locker may be transitioning to Astro Locker, as the verbiage and victims listed on both\r\nvariants’ shaming sites share significant overlap. While it’s not too uncommon for malware to change names, this\r\nchange is paired with an aggressive shift in Mount Locker’s tactics.\r\nTraditionally, Mount Locker ransomware is known for using public tools to move laterally, steal files, and deploy\r\nencryption. Attackers deploying Mount Locker use its capabilities for double extortion of victims. Initial access\r\nvectors vary, but once a foothold is gained common tactics include the use of AdFind and Bloodhound for Active\r\nDirectory and user reconnaissance, FTP for file exfiltration, and Cobalt Strike for lateral movement and the\r\ndelivery and execution of encryption, potentially through psExec. Critical data is staged and exfiltrated to be used\r\nas further collateral in extorting ransoms, with threats to release the data if the ransom is not paid. After the\r\nhttps://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/\r\nPage 1 of 2\n\nenvironment is mapped, backup systems are identified and neutralized, and data is harvested, systems are\r\nencrypted with target-specific ransomware delivered via the established C2 channels. These payloads include\r\nexecutables, extensions, and unique victim IDs for payment.\r\nHowever, in recent engagements, it appears Mount Locker is stepping up their game by including scripting and\r\ncapabilities directly targeting prevention measures. The new batch scripts – designed to disable detection \u0026\r\nprevention tools – indicate that Mount Locker is increasing its capabilities and is becoming a more dangerous\r\nthreat. These scripts were not just blanket steps to disable a large swath of tools, they were customized and\r\ntargeted to the victim’s environment. In recent engagements threat actors have also begun using multiple Cobalt\r\nStrike servers with unique domains, which is an added step not often seen due to the increased overhead in\r\nmanagement for attackers. This, combined with the recent shift to AstroLocker, could signal a shift in the group’s\r\noverall tactics and an effort to fully rebrand as a more insidious threat.\r\nThis shift in TTPs has coincided with a recent surge in requests for assistance coming from companies in the\r\nbiotech industry. Some calls were proactive, seeking help in verifying that environments were secure, however, a\r\nnumber were seeking help with active ransomware incidents. Viewed together, this could be an indication of a\r\nlarger campaign aggressively targeting healthcare-adjacent industries.\r\nBiotech companies, in particular, are a prime target for ransomware because of their position in an industry flush\r\nnot only with cash but also with highly sensitive IP. Additionally, connections to other research organizations\r\nincrease the potential to damage the victim’s reputation in the industry and put business dealings at risk.\r\nHealthcare and biotech companies are prime targets for attack groups because their services and technologies are\r\nin increasing demand. They stand to lose the most if operations are halted for too long or critical IP is lost, so\r\nattackers view them as more likely to pay the requested ransom quickly.\r\nIf you believe you may be at risk of an attack using Mount Locker or Astro Locker, telltale signs include the\r\nstaging and exfiltration of files via FTP and Cobalt Strike stagers and beacons in your environment. While these\r\nwould always be cause for alarm, the November 2020 release of an updated, more aggressive Mount Locker and\r\nthe dramatic increase in attacks attributable to the group make these IOCs particularly alarming. \r\nIf you observe any activity in your environment that could indicate you are being targeted, you can reach out to\r\nGuidePoint Security’s Digital Forensics \u0026 Incident Response team here.\r\nSource: https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/\r\nhttps://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/"
	],
	"report_names": [
		"mount-locker-ransomware-steps-up-counter-ir-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775441595,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/142c470021e72aee4a972ff5d13f3f779f598409.pdf",
		"text": "https://archive.orkl.eu/142c470021e72aee4a972ff5d13f3f779f598409.txt",
		"img": "https://archive.orkl.eu/142c470021e72aee4a972ff5d13f3f779f598409.jpg"
	}
}