{
	"id": "d145bfa9-dee2-4461-8462-6459859bb496",
	"created_at": "2026-04-06T00:07:55.651674Z",
	"updated_at": "2026-04-10T03:24:29.477578Z",
	"deleted_at": null,
	"sha1_hash": "4248368f1107857accc8b38713290fcf044608d5",
	"title": "Mount Locker ransomware now targets your TurboTax tax returns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2762451,
	"plain_text": "Mount Locker ransomware now targets your TurboTax tax returns\r\nBy Lawrence Abrams\r\nPublished: 2020-11-19 · Archived: 2026-04-05 19:54:37 UTC\r\nThe Mount Locker ransomware operation is gearing up for the tax season by specifically targeting TurboTax returns for\r\nencryption.\r\nMount Locker is a relatively new ransomware operation that began infecting victims in July 2020. Like other human-operated ransomware gangs, the Mount Locker gang will compromise networks, harvest unencrypted files to be used for\r\nblackmail, and then encrypt the devices on the network.\r\nStolen data and the encrypted files are then used in a double-extortion scheme where victims are warned that their stolen\r\nfiles will be published on a data leak site if a ransom is not paid.\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nMount Locker data leak site\r\nNew Mount Locker version targets TurboTax\r\nWith the tax season fast approaching, some are already gathering their tax information and inputting it into TurboTax to\r\nprepare for the April 15th tax deadline.\r\nIn a new version of the ransomware analyzed by Advanced Intel's Vitali Kremez, Mount Locker is getting ready for the tax\r\nseason as well by specifically targeting files used by the TurboTax tax software.\r\nWhen encrypting a computer, Mount Locker only encrypts files that have certain file extensions. With the latest version, the\r\nransomware developers are now targeting the .tax, .tax2009, .tax2013, and .tax2014 file extensions associated with the\r\nTurboTax tax preparation software.\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/\r\nPage 3 of 4\n\nMalware Locker targeting TurboTax extensions\r\nWhile Mount Locker is oddly targeting file extensions for specific tax years, Kremez told BleepingComputer that the 'tax'\r\ntargeting would match all extensions that contain the string.\r\nTo be safe from Mount Locker and other ransomware, be sure to make backups of your TurboTax files and other essential\r\ndocuments on detachable media after you make any changes. \r\nSimply backing up your important files to a USB drive every night and then unplugging it will guarantee the safety of your\r\nfiles even if you suffer a ransomware attack.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/\r\nhttps://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/"
	],
	"report_names": [
		"mount-locker-ransomware-now-targets-your-turbotax-tax-returns"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4248368f1107857accc8b38713290fcf044608d5.pdf",
		"text": "https://archive.orkl.eu/4248368f1107857accc8b38713290fcf044608d5.txt",
		"img": "https://archive.orkl.eu/4248368f1107857accc8b38713290fcf044608d5.jpg"
	}
}