MountLocker ransomware recently received an update that reduced its size in half, but retains a vulnerability that could potentially allow it to learn the random key used to encrypt files.
This ransomware was launched in July 2020 and targets corporate networks. Operators steal data before encrypting it and threaten victims with leaking their files unless their ransom demands, which are usually multi-million dollars, are met.
In the second half of November, malware researchers saw the second release of MountLocker on the market with indications that operators are preparing for the new tax season.
The research by Vitali Kremez, its managing director Advanced Intelligence (AdvIntel), indicates that ransomware developers have added some file extensions (.tax, .tax2009, .tax2013, .tax2014) related to TurboTax software for preparing tax return documents.
In a technical analysis released today, the BlackBerry Research and Information Team notes that the new MountLocker variant comes with a timestamp collection from November 6th.
The malware developers reduced the size of the malware version from 64-bit to 46 KB, which is about 50% smaller than the previous version. To get to this, they removed the list of file extensions with more than 2.600 entries targeted for encryption.
It now targets a much smaller list that excludes easily replaceable file types: .EXE, .DLL, .SYS, .MSI, .MUI, .INF, .CAT, .BAT, .CMD, .PS1, .VBS, .TTF, .FON, .LNK.
The new code is very similar to the old one, the biggest change is the process of deleting shadow copies and terminating procedures, which is now done with the PowerShell script before encryption of files.
To be precise, BlackBerry says that 70% of the code in the new MountLocker is the same as the previous version.