{
	"id": "4c40791c-14a8-4e33-bbac-5852e0e7b60b",
	"created_at": "2026-04-06T00:16:30.436283Z",
	"updated_at": "2026-04-10T03:21:21.915309Z",
	"deleted_at": null,
	"sha1_hash": "27f5a1f14e540439811c9ed404f47a4d1d48e4c7",
	"title": "Mount Locker ransomware joins the multi-million dollar ransom game",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4920246,
	"plain_text": "Mount Locker ransomware joins the multi-million dollar ransom game\r\nBy Lawrence Abrams\r\nPublished: 2020-09-24 · Archived: 2026-04-05 18:11:14 UTC\r\nA new ransomware operation named Mount Locker is underway stealing victims' files before encrypting and then\r\ndemanding multi-million dollar ransoms.\r\nStarting around the end of July 2020, Mount Locker began breaching corporate networks and deploying their ransomware.\r\nFrom ransom notes shared with BleepingComputer by victims, the Mount Locker gang is demanding multi-million dollar\r\nransom payments in some cases.\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n$2 million ransom demand from Mount Locker\r\nBefore encrypting files, Mount Locker will also steal unencrypted files and threaten victims that the data will be published if\r\na ransom is not paid.\r\nFor example, Mount Locker told one victim that they stole 400 GB of their data, and if they are not paid, they will contact\r\nthe victim's competitors, the media, TV channels, and newspapers.\r\nUltimately, the victim did not pay, and their data was published to a ransomware data leak site.\r\nMount Locker data leak site\r\nThis data leak site currently lists four victims, with only one having files leaked.\r\nThe MountLocker ransomware\r\nIt was only until recently that MalwareHunterTeam discovered a sample of Mount Locker, which allow allowed us to get a\r\nbit more insight into how the ransomware operates.\r\nMichael Gillespie, who analyzed the ransomware, told BleepingComputer that Mount Locker uses ChaCha20 to encrypt the\r\nfiles and an embedded RSA-2048 public key to encrypt the encryption key.\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/\r\nPage 3 of 5\n\nFrom our analysis, when encrypting files, the ransomware will add an extension in the format .ReadManual.ID. For\r\nexample, 1.doc would be encrypted and renamed to 1.doc.ReadManual.C77BFF8C, as shown in the encrypted folder below.\r\nMount Locker encrypted files\r\nThe ransomware will then register the extension in the Registry so that when you click on an encrypted file, it will\r\nautomatically load the ransom note.\r\nHKCU\\Software\\Classes\\.C77BFF8C\\shell\\Open\\command\\ @=\"explorer.exe RecoveryManual.html\"\r\nThe ransom note is named RecoveryManual.html and contains instructions on how to access the Tor site to communicate\r\nwith the ransomware operators.\r\nMount Locker ransom note\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/\r\nPage 4 of 5\n\nThe Tor site is simply a chat service, where victims can negotiate the ransom or ask questions.\r\nUnfortunately, the ransomware is secure, and there is no way to recover your files for free.\r\nFor those who wish to receive support related to this ransomware, you can use our dedicated Mount Locker support topic.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/"
	],
	"report_names": [
		"mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game"
	],
	"threat_actors": [],
	"ts_created_at": 1775434590,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/27f5a1f14e540439811c9ed404f47a4d1d48e4c7.pdf",
		"text": "https://archive.orkl.eu/27f5a1f14e540439811c9ed404f47a4d1d48e4c7.txt",
		"img": "https://archive.orkl.eu/27f5a1f14e540439811c9ed404f47a4d1d48e4c7.jpg"
	}
}