This ransomware started working in July 2020, targeting corporate networks, and has received an update that has halved its size.
Its operators steal the data before it is encrypted and threaten victims to leak files unless their demands for a ransom of millions of dollars are met.
In the second half of November, malware researchers saw the second release of MountLocker with evidence that its operators were preparing for attacks.
Research shows that ransomware developers have added file extensions associated with TurboTax for preparing tax return documents.
Malware developers have reduced the size of the 64-bit version to 46 KB, which means that the second version is about 50 percent smaller than the first version.
To get there, they removed the list of file extensions that contained over 2,600 encryption target entries.
The software now targets a much smaller list while excluding the easily interchangeable file types included: EXE, DLL, SYS, MSI, MUI, INF, CAT, BAT, CMD, PS1, VBS, TTF, FON, and LNK.
The new code is similar to the old code, and the biggest change was the process of deleting volume backups and ending processes, which is now done with a PowerShell script before encrypting files.
BlackBerry says: 70 percent of the code in the second version of MountLocker is the same as in the first version, including the insecure function of the Windows API called GetTickCount, used to generate the random encryption key.
GetTickCount has been abandoned in favor of GetTickCount64, and Microsoft has listed Both jobs As an unsafe way of generating random numbers.
BlackBerry’s investigation of the MountLocker campaigns showed that attackers often access the victim’s network via RDP through the compromised data.
Although new, it is clear that this breed of ransomware is heavily cashed and likely to expand its operations for maximum profit, and researchers expect it will continue its efforts in the short term.