Researchers have discovered a new ransomware business called "Mount Locker", which is in progress, with hackers who are behind it to steal the archives of their victims before encryption and then demand a ransom of several million dollars.
From the end of July, the gang of Mount Locker began to breach corporate networks and develop its ransomware on them. From the ransom notes shared by the victims on BleepingComputer, it appears that the Mount Locker gang is asking its victims to pay a multimillion-dollar ransom in some cases.
Before encrypting files, Mount Locker steals unencrypted files and threatens victims that data contained in them will be leaked, in case the victim refuses to pay the required ransom.
For example, the Mount Locker gang told a victim they stole 400 GB of data that would leak to the victim's competitors, the media, television and newspapers if the victim did not pay the ransom. Eventually, the victim did not pay, with the result that his stolen data was leaked to a ransomware site leakage data. This site currently has four victims, of which only one has leaked files.
MalwareHunterTeam recently discovered a sample of Mount Locker, which provided an overview of how ransomware works.
Michael Gillespie, who analyzed the ransomware, said Mount Locker uses it ChaCha20, for file encryption, and a built-in public key RSA-2048, for encrypting the encryption key. When encrypting files, ransomware adds an extension to the format .ReadManual.ID. For example, the 1.doc is encrypted and renamed to 1.doc.ReadManual.C77BFF8C.
The ransomware then registers the extension in the Registry so that when the victim clicks on an encrypted file, it will automatically load the ransom note, which is named RecoveryManual.html and contains instructions on how access on Tor site for communication with ransomware operators.