# Mount Locker ransomware joins the multi-million dollar ransom game **[bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/](https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) September 24, 2020 05:42 PM 0 A new ransomware operation named Mount Locker is underway stealing victims' files before encrypting and then demanding multi-million dollar ransoms. Starting around the end of July 2020, Mount Locker began breaching corporate networks and deploying their ransomware. From ransom notes shared with BleepingComputer by victims, the Mount Locker gang is demanding multi-million dollar ransom payments in some cases. ----- **$2 million ransom demand from Mount Locker** Before encrypting files, Mount Locker will also steal unencrypted files and threaten victims that the data will be published if a ransom is not paid. For example, Mount Locker told one victim that they stole 400 GB of their data, and if they are not paid, they will contact the victim's competitors, the media, TV channels, and newspapers. Ultimately, the victim did not pay, and their data was published to a ransomware data leak site. ----- **Mount Locker data leak site** This data leak site currently lists four victims, with only one having files leaked. ## The MountLocker ransomware It was only until recently that [MalwareHunterTeam discovered a sample of Mount Locker,](https://twitter.com/malwrhunterteam?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) which allow allowed us to get a bit more insight into how the ransomware operates. [Michael Gillespie, who analyzed the ransomware, told BleepingComputer that Mount](https://twitter.com/demonslay335) Locker uses ChaCha20 to encrypt the files and an embedded RSA-2048 public key to encrypt the encryption key. From our analysis, when encrypting files, the ransomware will add an extension in the format .ReadManual.ID. For example, 1.doc would be encrypted and renamed to 1.doc.ReadManual.C77BFF8C, as shown in the encrypted folder below. ----- **Mount Locker encrypted files** The ransomware will then register the extension in the Registry so that when you click on an encrypted file, it will automatically load the ransom note. ``` HKCU\Software\Classes\.C77BFF8C\shell\Open\command\ @="explorer.exe RecoveryManual.html" ``` The ransom note is named RecoveryManual.html and contains instructions on how to access the Tor site to communicate with the ransomware operators. ----- **Mount Locker ransom note** The Tor site is simply a chat service, where victims can negotiate the ransom or ask questions. Unfortunately, the ransomware is secure, and there is no way to recover your files for free. For those who wish to receive support related to this ransomware, you can use our [dedicated Mount Locker support topic.](https://www.bleepingcomputer.com/forums/t/729090/mount-locker-ransomware-support-topic-recoverymanualhtml-8-character-hex/) ### Related Articles: [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [Quantum ransomware seen deployed in rapid network attacks](https://www.bleepingcomputer.com/news/security/quantum-ransomware-seen-deployed-in-rapid-network-attacks/) [Snap-on discloses data breach claimed by Conti ransomware gang](https://www.bleepingcomputer.com/news/security/snap-on-discloses-data-breach-claimed-by-conti-ransomware-gang/) [Shutterfly discloses data breach after Conti ransomware attack](https://www.bleepingcomputer.com/news/security/shutterfly-discloses-data-breach-after-conti-ransomware-attack/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Data Exfiltration](https://www.bleepingcomputer.com/tag/data-exfiltration/) [Data Leak](https://www.bleepingcomputer.com/tag/data-leak/) [Mount Locker](https://www.bleepingcomputer.com/tag/mount-locker/) ----- [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-group-policy-editor-bug-in-windows-server-2016/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/the-windows-xp-source-code-was-allegedly-leaked-online/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----