# MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates

**[blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates](https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates)**

The BlackBerry Research & Intelligence Team

[1. BlackBerry ThreatVector Blog](https://blogs.blackberry.com/en.html)
2. MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates

[Since mid-October 2020, the BlackBerry Incident Response Team have been actively tracking MountLocker affiliate campaigns as part of](https://www.blackberry.com/us/en/services/blackberry-cybersecurity-consulting#how-can-i-handle-a-breach)
ongoing investigations. The affiliates are typically responsible for the initial compromise, distribution of MountLocker ransomware, and
exfiltration of sensitive client data during a breach.

[In coordination with the BlackBerry Research and Intelligence Team, our researchers and investigators have produced the following wide-](https://blogs.blackberry.com/en/author/the-blackberry-research-and-intelligence-team)
ranging report on MountLocker. It covers this threat’s operators, affiliates, ransomware, decryptor, and associated tactics, techniques, and
procedures (TTPs).

**Key Findings**

MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020.
The MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security
software.
Victim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.
The ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of
data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.
MountLocker affiliates were observed:

Using commercial-off-the-shelf tools such as CobaltStrike Beacon to deploy MountLocker ransomware.
Exfiltrating sensitive client data via FTP prior to encryption.
Engaging in blackmail and extortion tactics (alongside the operators) to coerce victims into making hefty payments to recover and
prevent the public disclosure of stolen data.
Owing to the RaaS and affiliate program, targeting is geographically diverse and becoming more prominent.

**Operators and Affiliates**

Our investigations into MountLocker-related affiliate campaigns suggests that threat actors often used remote desktop (RDP) with
compromised credentials to gain access to a victim’s environment. In one instance, after establishing a foothold in an organisation, there was
a delay of several days before activity resumed. It is likely that the threat actors were negotiating with the MountLocker operators to join their


-----

a ate p og a a d obta t e a so a e du g t s pause Upo obta g t e ou t oc e a so a e, t e t eat acto s e e
observed returning with several “public” tools, including CobaltStrike Beacon and AdFind from Joeware. Over a period of approximately 24
hours:

AdFind is used to perform network reconnaissance.
A custom batch file is used to exfiltrate sensitive documents from key systems via FTP.

CobaltStrike Beacon is leveraged to spread laterally and deploy the MountLocker ransomware.

_Figure 1. MountLocker kill-chain_

The following crude batch script (sanitized for confidentiality reasons) was used by the attackers to perform exfiltration of sensitive data. The
script starts by uploading a “desktop.ini” file to the sever using curl, then enumerates a hardcoded root directory (localdir) and all
subdirectories. Each file is uploaded to the FTP server as it goes:


-----

_Figure 2. MountLocker FTP exfiltration batch script_

Successful MountLocker affiliates have been known to seek multi-million-dollar payments for decryption services and to prevent public
disclosure of stolen data. The MountLocker operators are currently hosting a site on the dark web where they announce their recent targets
and supply links to leaked data. The site is currently listing five victims; we believe the actual number to be far greater:


-----

Figure 3. MountLocker site, announcing targets and leaks


-----

_Figure 4. MountLocker full data dump_

**Ransomware**

The MountLocker ransomware, at less than 100Kb in size, is lightweight and simple in construction. It is typically deployed as either an x86 or
x64 Windows portable executable (PE) file, although occasionally as a Microsoft Installer (MSI) package:

[Figure 5. Composition of a x64 MountLocker PE file](https://github.com/blackberry/pe_tree)


-----

**eatu es**

Simple, lightweight, and efficient ransomware
Semi-unique file extension per victim organization
Uses ChaCha20 for file encryption and RSA-2048 for key encryption
Weak key generation using GetTickCount

**Behavior**

Upon execution, MountLocker will process any command-line arguments supplied by the operators:

**Argument** **Description**

/log:[C|F] C = Log to console

F = Log to file (.log extension)

/scan:[L|N|S] L = Local drives

N = Network drives

S = Network shares (currently unimplemented)


/marker:[a-zA-Z0-9_-.]
{32}


Create a marker file with the specified filename in each volume's root directory before volume encryption
begins


/nodel Prevent MountLocker from deleting itself after execution (typically used when launched as an MSI)

_Figure 6. Command-line arguments_

Next, MountLocker initializes debug logging and creates a run-once mutex. The mutex is based on the serial number of the volume containing
the Windows directory, and yields a 32-character uppercase hexadecimal string:

_Figure 7. Run-once mutex_

The ransomware then proceeds to initialize the encryption keys and create the ransom note. MountLocker contains an embedded 2048-bit
RSA public key supplied by the attackers. It is imported and used to encrypt a random session key generated using the cryptographically
insecure GetTickCount API. This offers the slim possibility that knowing the timestamp counter value during ransomware execution could lead
to the session key being brute-forced.

After initializing the encryption keys, MountLocker will create the ransom note from a template and add the ransomware file extension to the
registry. When a user double clicks an encrypted file, the ransom note is opened via Explorer. The file extension is a hex encoded 4-byte (or 8
character) “Client ID”, which is unique per victim organization:


-----

Figure 8. Encryption key and ransom note setup

_Figure 9. Attackers' RSA public key embedded in MountLocker_

The ransom note can vary slightly between samples, and in some cases incorrectly states that AES encryption was used. It contains a Tor
.onion URL to contact the MountLocker operators via a “dark web” chat service to discuss a price for decryption software:


-----

_Figure 10. Typical Mountlocker ransom note_

After initialization is complete, prior to encryption, MountLocker will attempt to terminate a range of processes belonging to security software,
office applications, browsers, and databases:

agntsvc firefox outlook tbirdconfig

bengine infopath OWSTIMER thebat

benetns isqlplussvc postgres thunderbird

beremote msaccess powerpnt veeam

beserver mspub pvlsvr visio

dbeng50 mydesktopservice SAVAdminService VxLockdownServer

dbsnmp mydesktopqos SavService winword

dfssvc mysql sql wordpad

dfsrs ocautoupds sqbcoreservice wsstracing

EduLink2SIMS ocomm sophos WSSADMIN


-----

encsvc ocssd steam xfssvccon

excel onenote swc_service

fdhost oracle synctime

MountLocker then proceeds to enumerate first local and then remote volumes looking for files to encrypt. For each volume found, it takes the
following steps:

1.   If specified via command-line (using /marker:) create a marker file on the root of the volume.

2.   Recursively iterate over all files/folders:

a.   If the FindFirstFile function returns ERROR_ACCESS_DENIED, try to change permissions of the root directory by setting the owner and
DACL (discretionary access control list) values in its security descriptor to the same ones as the parent process.

3.   For each file found:

a.   Check whether the parent folder path is one of the following, and therefore excluded from encryption:

System Volume Information WINNT

$RECYCLE.BIN NVIDIA

Windows SYSTEM.SAV

$WINDOWS.~BT PerfLog

Windows.old Intel

Program Files Games

Program Files (x86) Temp

WINNT Tmp

b.    Check if the file extension is allowed. MountLocker contains a huge list of over 2600 file extensions that it will target for encryption,
including known file extensions for databases, documents, archives, images, accounting software, security software, source code, games,
backups and various custom data formats. Common file extensions for executable files (.exe, .dll, .sys) are not targeted.

c.    Ensure the filename is not “RecoveryManual.html”.

d.   Memory map the file.

e.   Generate a random encryption key for the file, again using the cryptographically insecure GetTickCount API (via rdtsc, and without the
use of a Sleep API call!):


-----

_Figure 11. Create ChaCha20 file key_

a.   Encrypt the file key with the session key using ChaCha20, and write both the encrypted file key (32-bytes) and encrypted session key
(256-bytes) to the file:

_Figure 12. Encrypt the file key with the session key and write the file header_

a.   Memory map the input file and ChaCha20; encrypt it using the file key in 64MB chunks:

_Figure 13. Encrypt file contents_

a.   Move the file and restore the owner and DACL:


-----

_Figure 14. Move file after encryption and optionally set named security information_

Post encryption, the composition of a MountLocker encrypted file is as follows, where:

The red highlighted region is the 32-byte ChaCha20 file key, encrypted using ChaCha20 with the session key.
The green region is the ChaCha20 session key, encrypted using RSA with the attackers’ 2048-bit public key.

The blue highlighted region is the original file contents, encrypted using ChaCha20 with the randomly generated file key.

_Figure 15. MountLocker file composition_

After the encryption process is completed, MountLocker will delete volume shadow copies to prevent the restoration of the encrypted files:


-----

_Figure 16. Delete volume shadow copies_

Finally, in the absence of the /nodel command-line argument, MountLocker will drop the following batch file to remove itself from disk:

_Figure 17. MountLocker cleanup batch file_

_Figure 18. Execute cleanup batch file_

**Version 2**

MountLocker version 2 first surfaced in the wild during late November 2020, with a compilation timestamp from earlier in the month
(November 6th). It is considerably smaller in size than the previous versions (approximately 50% smaller, at 46Kb for the x64 build) owing to
the removal of the vast file extension “include” list. Instead, MountLocker version 2 turns this process on its head, and targets a far smaller list
of file extensions to explicitly exclude from encryption:

.exe, .dll, .sys, .msi, .mui, .inf, .cat, .bat, .cmd, .ps1, .vbs, .ttf, .fon, .lnk

Overall, the code bears approximately 70% similarity to the initial MountLocker release, with no apparent changes to:

Cryptographic initialization and ransom note creation
Client ID calculations
Volume traversal
DACL modifications
ChaCha20/RSA encryption

As for updates, the most obvious initial differences are the reworded debug messages:


-----

_Figure 19. Updated debug messages in MountLocker version 2_

The biggest change is in the process termination code and deletion of volume shadow copies. This is now implemented using a PowerShell
script that gets written to a temporary directory and executed via a PowerShell one-liner prior to encryption:

_Figure 20. Drop and launch PowerShell script from MountLocker version 2_

The script itself will simply Base64 decode and gzip decompress a further PowerShell script, which is then invoked using iex:

_Figure 21. MountLocker PowerShell decoder_

Once decoded, the underlying PowerShell script deletes volume shadow copies then attempts to terminate all services and processes
running outside of the Windows directory. The script will avoid terminating processes belonging to itself, Tor, PowerShell, several browsers,
and a long list of security software (allowing the victim to still use Tor to contact the MountLocker operators to negotiate payment):


-----

_Figure 22. Process termination script in MountLocker version 2_

MountLocker aims to evade security software that is not configured to terminate the entire process tree when handling alerts. It does this
through the deletion of volume shadow copies and termination of processes in a separate process (powershell.exe).

Finally, in addition to removing the large file extensions list, MountLocker version 2 has an updated list of folders that are excluded from file
encryption:

:\\Windows\\ :\\ProgramData\\Microsoft\\

:\\System Volume Information\\ \\Local\\Packages\\

:\\$RECYCLE.BIN\\ :\\ProgramData\\Packages\\

:\\SYSTEM.SAV \\Windows Defender\\

:\\WINNT \\microsoft shared\\

:\\$WINDOWS.~BT\\ \\Google\\Chrome\\

:\\Windows.old\\ \\Mozilla Firefox\\

:\\PerfLog\\ \\Mozilla\\Firefox\\

\\WindowsApps\\ \\Internet Explorer\\

\\Microsoft\\Windows\\ \\MicrosoftEdge\\

\\Roaming\\Microsoft\\ \\Tor Browser\\

\\Local\\Microsoft\\ \\AppData\\Local\\Temp\\

\\LocalLow\\Microsoft\\

_Figure 23. Updated exclude folders in MountLocker version 2_

**Decryptor**

The only MountLocker decryptor we’ve observed in the public domain is heavily based on the first x86 MountLocker ransomware codebase. It
shares about 70% of the original functionality, including the run-once mutex, process termination and volume traversal.


-----

u g t e dec ypt o p ocess, t e p og a sea c a oca a d et o o u es, as e as apped s a es, oo g o e c ypted es
The encrypted file and session keys are read from each file, and a checksum of the session key is computed. If the checksum doesn’t match
a global session key checksum then the attackers RSA private key will be imported and used to decrypt the session key. The decrypted
session key is then used to decrypt the file key using ChaCha20:

_Figure 24. Read and decrypt the file key using the session key_

Figure 25. Load the attacker’s RSA private and decrypt the session key

_Figure 26. Attacker's RSA private key embedded in the decryptor_

Finally, the file key is used to ChaCha20 decrypt the file in 64MB chunks:


-----

_Figure 27. ChaCha20 file decryption_

**Conclusions**

The MountLocker Operators are clearly just warming up. After a slow start in July they are rapidly gaining ground, as the high-profile nature of
extortion and data leaks drive ransom demands ever higher. MountLocker affiliates are typically fast operators, rapidly exfiltrating sensitive
documents and encrypting them across key targets in a matter of hours.

Since its inception, the MountLocker group have been seen to both expand and improve their services and malware. While their current
capabilities are not particularly advanced, we expect this group to continue developing and growing in prominence over the short term.

[Our AI-based endpoint security solution BlackBerry® Protect® has thwarted several MountLocker attacks in customer’s environments,](https://www.blackberry.com/us/en/products/blackberry-protect)
preventing the ransomware from ever being deployed. BlackBerry Protect uses machine learning to provide an automated safeguard against
both simple and sophisticated threats. It does this without the need for signatures, heuristics, sandboxes, cloud connections, or extensive
human intervention.

**Appendix**

**Indicators of Compromise (IoCs)**

**Indicator** **Type** **Description**

4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273 SHA256 MountLocker (x86) v1

f570d5b17671e6f3e56eae6ad87be3a6bbfac46c677e478618afd9f59bf35963 SHA256 MountLocker (x64) v1

964170baffd8f88e6c7fc189d43dfaa32c8dbcee02d7afa573058f9af16dac3b SHA256 MountLocker (x86) v1

30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83 SHA256 MountLocker (MSI) v1

31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585 SHA256 MountLocker (x86) v1

0aa8099c5a65062ba4baec8274e1a0650ff36e757a91312e1755fded50a79d47 SHA256 MountLocker (x64) v1

5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0 SHA256 MountLocker (x64) v1


-----

96056182d93b582b3d56bd82a560bafd5cde413c4ca216f4f62ab446c61c9b6a SHA256 MountLocker (x86) v1

2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0 SHA256 MountLocker (x64) v2

c0aa74bc157788d0329b81ff87fc4d4b764d4823159bccd1f538cc0301a625f4 SHA256 MountLocker decryptor for 3005…
and 3163…

qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion Domain MountLocker contact URL

zsa3wxvbb7gv65wnl7lerslee3c7i27ndqghqm6jt2priva2qcdponad.onion Domain MountLocker contact URL

br3o5we2252csfnhotfbsfx7ch5csivuuidhdefbhmg2zmbqebs6znad.onion Domain MountLocker contact URL

55ltvpboyvhg7ezmefe72jgioukb52t6nkdiuis5yishczlbtadmr2qd.onion Domain MountLocker contact URL

fzl2tjt7hoyf4oeynma57wjk4w5cyi37o7ihzlkvfsjtxmk7elzp7iqd.onion Domain MountLocker contact URL

6mlzahkc7vejytppbqhqjou4ipftgs3gizof2x4zklblliayhsqb3wad.onion Domain MountLocker contact URL

.ReadManual.[0-9]{8}$ Filename MountLocker file extension


vssadmin.exe delete shadows /all /Quiet Commandline


HKCU\Software\Classes\.<CLIENT_ID>\shell\Open\command\ @="explorer.exe
RecoveryManual.html"

powershell.exe -windowstyle hidden -c $mypid='%u';

[System.IO.File]::ReadAllText('%s')|iex


Registry
value

Commandline


MountLocker - Delete volume shadow
copies

MountLocker – Register file extension
to
open readme with explorer.

MountLocker v2 – Used to execute
process termination script

Used to invoke encoded PowerShell
(containing CobaltStrike beacon)


powershell -nop -w hidden -encodedcommand Commandline

**MITRE ATT&CK**


**Tactic** **ID** **Name** **Description**


Initial
Access


[T1078](https://attack.mitre.org/techniques/T1078/) Valid Accounts Suspected initial compromise using stolen
credentials


[T1133](https://attack.mitre.org/techniques/T1133/) External Remote
Services


RDP used to leverage a foothold


Execution [T1059.001](https://attack.mitre.org/techniques/T1059/001/) Command and Scripting Interpreter: PowerShell PowerShell wrapped CobaltStrike Beacon

[T1569](https://attack.mitre.org/techniques/T1569/) System Services PowerShell wrapped CobaltStrike Beacon


Persistence [T1546.001](https://attack.mitre.org/techniques/T1546/001/) Event Triggered Execution: Change Default File
Association


MountLocker registers its file extension
(.ReadManual.[0-9]{8}$) to open with
explorer.exe

MountLocker modifies file DACL


Defense
Evasion


[T1222.001](https://attack.mitre.org/techniques/T1222/001/) File and Directory Permissions Modification:
Windows File and Directory Permissions
Modification


[T1070.004](https://attack.mitre.org/techniques/T1070/004/) Indicator Removal on
Host: File Deletion


MountLocker deletes itself post execution


-----

Discovery [T1069.002](https://attack.mitre.org/techniques/T1069/002/) Permission Groups Discovery: Domain Groups AdFind used for reconnaissance

Exfiltration [T1020](https://attack.mitre.org/techniques/T1020/) Automated Exfiltration Uploads sensitive documents via FTP


Command
and Control


[T1071](https://attack.mitre.org/techniques/T1071/) Application Layer Protocol CobaltStrike Beacon (SMB/named pipe)


[T1071.001](https://attack.mitre.org/techniques/T1071/001/) Application Layer
Protocol: Web
Protocols


CobaltStrike Beacon (HTTP)


Impact [T1486](https://attack.mitre.org/techniques/T1486/) Data Encrypted for Impact Files encrypted for ransom


[T1490](https://attack.mitre.org/techniques/T1490/) Inhibit System
Recovery


MountLocker uses vssadmin.exe to delete all
volume shadow copies


[T1489](https://attack.mitre.org/techniques/T1489/) Service Stop MountLocker stops various system services prior to
encryption

Software [S0154](https://attack.mitre.org/software/S0154/) Cobalt Strike CobaltStrike Beacon (HTTP/SMB)

**Hunting**

The following VirusTotal query uses a simple content search to find related samples:

[https://www.virustotal.com/gui/search/content%253A%2522Crypt%2520Avg%253A%2522/files](https://www.virustotal.com/gui/search/content%253A%2522Crypt%2520Avg%253A%2522/files)

The following VirusTotal query uses a behaviour search to find related samples:

[https://www.virustotal.com/gui/search/behaviour_files%253A%2522.readmanual.%2522/files](https://www.virustotal.com/gui/search/behaviour_files%253A%2522.readmanual.%2522/files)

**YARA**

The following YARA rule looks for common MountLocker ransomware strings in the .rdata section of a PE file:


-----

import pe

rule Ransomware_MountLocker
{
meta:
description = "Rule to detect MountLocker ransomware"
author = "BlackBerry Research and Intelligence Team"
date = "2020-11-24"

strings:
$a0 = "cid=%CLIENT_ID%"
$a1 = "<h1>Your ClientId:</h1>"
$a2 = "<title>RECOVERY MANUAL</title>"
$a3 = ".ReadManual.%0.8X" wide
$a4 = "RecoveryManual.html" wide
$a5 = "Crypt Avg:" wide ascii
$a6 = "[I] Check double run..."
$a7 = "[W] SKIP FOLDER BL: %ws"
$a8 = "[W] SKIP FILE RP(%0.8X): %ws"
$a9 = "[E] ERROR: malloc(LOCK_CONTEXT)=%u"
$aA = "[I] SCAN VOLUME: %ws"
$aB = "[E] ERROR: RSA(MasterKey)=%u"
$aC = "locker.check.dbl_run" wide
$aD = "locker.file > crypt" wide

condition:
uint16(0) == 0x5a4d and
filesize < 1MB and
// Check for unique strings common across known samples in .rdata section
for any of ($a*) : ( $ in
(pe.sections[pe.section_index(".rdata")].raw_data_offset..pe.sections[pe.section_index(".rdata")].raw_data_offset+pe.sections[pe.section_index
(".rdata")].raw_data_size) )
}

## About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of
defenders and the organizations they serve.

Back


-----