{
	"id": "45fabf15-4bc0-47d2-b6c4-09e789badd75",
	"created_at": "2026-04-06T00:20:00.252421Z",
	"updated_at": "2026-04-10T13:11:38.435738Z",
	"deleted_at": null,
	"sha1_hash": "6e6a04fa713c97712edf63059733a10e29a4e4ba",
	"title": "Ransomware Operators Found Using New Franchise Business Model",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52397,
	"plain_text": "Ransomware Operators Found Using New Franchise Business\r\nModel\r\nBy Fernando Merces ( words)\r\nPublished: 2021-10-15 · Archived: 2026-04-05 22:33:16 UTC\r\nThe connection between Mount Locker and another ransomware group called AstroLocker Team was already\r\nexplored by Sophosopen on a new tab back in March 2021. By comparing the infamous welcome message here\r\nwith the one shown in Sophos’ blog post, we can infer that the XingLocker team is yet another Mount Locker\r\nfranchise. After connecting the dots, we also saw a link between the two franchises. We explain further in the\r\nsections below.  \r\nThe XingLocker Team and AstroLocker Team connection \r\nIn the beginning, we thought that XingLocker was just a Mount Locker rebrand being operated by the same\r\noriginal group (a common technique in the ransomware business). However, one thing caught our attention — the\r\nusage of a different onion address for each victim. Instead of setting up multiple servers, as has been done in many\r\ncases, the XingLocker team created multiple addresses pointing to the same server. \r\nThis alone does not mean a lot, but an analysis of the HTTP requests made to this server revealed other directories\r\nas well. We saw that these directories held data from companies victimized by another group — AstroLocker\r\nTeam. We covered part of the companies’ names in the image below, but these are known victims of AstroLocker\r\nTeam not XingLocker. \r\nShared infrastructure \r\nTo date, we have found fifteen onion addresses used by at least four different servers, and three others still\r\nunknown.\r\nOnion Address Server\r\nw6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd[.]onion A\r\naccdknc4nmu4t5hclb6q6kjm2u7u5xdzjnewut2up2rlcfqe5lootlqd[.]onion A\r\nc6zkofycoumltpmm6zpyfadkuddpmlqk6vyd3orrfjgtq3vrgyifl6yd[.]onion A\r\n3klsbd4dwj3yqgo4xpogfgwqkljbnbdxjryeqks2cjion5jj33wvkqyd.onion B\r\nyk7erwdvj4vxcgiq3gmcufkben4bk4ixddl5j2xvu7gurtdq754jmiad.onion B\r\nz4cn6lpet4y4r6mdlbpklpcrjdruwb6kiuvxn6gsiuoub23z6prlx6ad.onion B\r\nibih5znjxf2cqgo737xmooyvmxhac45wd4rivh6n5hd7fysn42g3fayd.onion B\r\nhttps://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html\r\nPage 1 of 4\n\nikrah6fb4e6r2raxkyvyoxp22jam5z6ak5ajfnzxutmassoagvr2bhad.onion B\r\nhceesrsg6f5p4gcph4j6jv6vl4mkmaik735oz4r45lgjfyedsxfoprad.onion B\r\nqfgh2lpslhjb33z3wsenmqrxcdragelinvcpowlgkbjca6yig5zloeyd.onion B\r\nx4mjvffmytkw3hyu.onion C\r\ntpze4yo74m6qflef.onion D\r\nevl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion Unknown 1\r\nxingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion Unknown 2\r\nzckdr5wmbzxphoem77diqb2ome2a54o23jl2msz3kmotjlpdnjhmn6yd.onion Unknown 3\r\nTable 1. The onion addresses used by the different servers\r\nAnd here is how they relate to the group:\r\nServer XingLocker AstroLocker Team\r\nA x  \r\nB x x\r\nC x x\r\nD x  \r\nUnknown 1 x  \r\nUnknown 2 x  \r\nUnknown 3 x  \r\nTable 2. The different servers in relation to XingLocker and AstroLocker Team\r\nWhile this is not a sophisticated innovation, it is important to highlight that ransomware groups are looking for\r\nnew waysopen on a new tab to run their affiliate programs and RaaS businesses. This form of shared infrastructure\r\nand code can make things harder from an investigative point of view. It is not uncommon to find XingLocker\r\nsamples detected as Mount Locker, or identify two different onion addresses pointing to the same onion service\r\nbut used by different groups. Investigators should be aware of these factors when researching ransomware.\r\nWhy is this important? Most RaaS models operate by affiliates working with the ransomware groupopen on a new\r\ntab to install a specifically named ransomware on as many machines as possible, then splitting the profits. This is\r\nadvantageous for the attackers because when victims look up the ransomware and see many reports about it, they\r\nare more likely to pay. As a disadvantage, affiliates are largely anonymous and can’t use these attacks as the basis\r\nof THEIR own criminal business. They are just like managers in a burger chain.\r\nhttps://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html\r\nPage 2 of 4\n\nIt seems likely we have now observed a new \"franchise\" RaaS model involving XingLocker, AstroLocker and\r\nMount Locker. In this model there seems to be a main RaaS (in this case Mount Locker), and then affiliates\r\nlicense the ransomware and release it under their own name and brand. \r\nIn this scenario, the affiliates are like managers of their own local burger joint, getting products from a generic\r\nfood supplier. The products are provided by the parent company, but the individual operators conduct business\r\nunder their own branding, with unique names and images. This method gives more flexibility and recognition for\r\nthe affiliates, especially mid-tier aspiring criminal gang leaders. One disadvantage is that it means less brand\r\nrecognition for specific ransomware, so victims may be less inclined to pay. Of course, from an investigation point\r\nof view, this method adds confusion in terms of naming and makes tracking harder.\r\nHow to Defend Against Ransomware\r\nRansomware is a continuously evolving threat, and organizations should be vigilant in maintaining the best and\r\nmost effective security policies and practices. Protection frameworks set by the Center of Internet Securityopen on\r\na new tab and the National Institute of Standards and Technologyopen on a new tab can help organizations prevent\r\nand mitigate the impact of ransomware attacks: \r\nAudit and inventory: Take an inventory of all organizational assets and data, and identify authorized and\r\nunauthorized devices, software, and personnel accessing particular systems. Audit and monitor all logs of\r\nevents and incidents to identify unusual patterns and behaviors.\r\nConfigure and monitor: Deliberately manage hardware and software configurations, and only grant\r\nadministrative privileges and access to specific personnel when absolutely necessary. Monitor the use of\r\nnetwork ports, protocols, and services. Implement security configurations on network infrastructure\r\ndevices such as firewalls and routers, and have a software allow list to prevent malicious applications from\r\nbeing executed. \r\nPatch and update: Perform periodic vulnerability assessments, and conduct regular patching or virtual\r\npatching for operating systems and applications. Ensure that all installed software and applications are\r\nupdated to their latest versions.\r\nProtect and recover: Enforce data protection, backup, and recovery measures. Implement multifactor\r\nauthentication in all devices and platforms used whenever available.\r\nSecure and defend: Perform sandbox analysis to examine and block malicious emails. Employ the latest\r\nversion of security solutions to all layers of the system, including email, endpoint, web, and network. Spot\r\nearly signs of an attack such as the presence of suspicious tools in the system, and enable advanced\r\ndetection technologies such as those powered with AI and machine learning.\r\nTrain and test: Perform security skills assessment and training for all personnel regularly, and conduct red-team exercises and penetration tests.\r\nTrend Micro Solutions\r\nOrganizations can benefit from security solutions that encompass a system’s multiple layers (endpoint, email,\r\nweb, and network) not only for detecting malicious components but also for close monitoring of suspicious\r\nbehaviors in the network.  \r\nhttps://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html\r\nPage 3 of 4\n\nTrend Micro™ Vision One™open on a new tab provides multilayered protection and behavior detection, spotting\r\nquestionable behaviors that might otherwise seem benign when viewed from only a single layer. For an even\r\ncloser inspection of endpoints, Trend Micro Apex One™open on a new tab offers next-level automated threat\r\ndetection and response against advanced concerns such as fileless threats and ransomware. This allows detecting\r\nand blocking ransomware early on before it can do any real damage to the system.\r\nWith techniques such as virtual patching and machine learning, Trend Micro™ Cloud One™ Workload\r\nSecurityopen on a new tab protects systems against both known and unknown threats that exploit vulnerabilities.\r\nIt also takes advantage of the latest in global threat intelligence to provide up-to-date, real-time protection. \r\nRansomware often gets into the system through phishing emails. Trend Micro™ Deep Discovery™ Email\r\nInspectoropen on a new tab employs custom sandboxing and advanced analysis techniques to effectively block\r\nransomware before it gets into the system.\r\nFor the Indicators of Compromise, please see this documentopen on a new tab. \r\nSource: https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html\r\nhttps://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html"
	],
	"report_names": [
		"ransomware-operators-found-using-new-franchise-business-model.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434800,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e6a04fa713c97712edf63059733a10e29a4e4ba.pdf",
		"text": "https://archive.orkl.eu/6e6a04fa713c97712edf63059733a10e29a4e4ba.txt",
		"img": "https://archive.orkl.eu/6e6a04fa713c97712edf63059733a10e29a4e4ba.jpg"
	}
}