A new ransomware named Mount Locker steals victims’ files before encrypting and then demanding multi-million dollar ransoms. This recent crime spree started in July of 2020 with Mount Locker breaching corporate networks and then deploying their ransomware.
According to published reports, the Mount Locker gang’s ransom notes demand multi-million dollar ransom payments in some cases. Before encrypting their victims’ files, Mount Locker will also steal unencrypted files and threaten their victims that the data will be published online if their ransom demands are not met.
One of the attacks attributed to the group saw hackers steal 400 GB of data and then threaten the victim with potentially sharing the data with the victims’ competitors, media outlets, and TV stations if the ransom was not paid. The victim decided not to pay, and the group published the stolen data on its data leak site. As of the date of this video, the data leak site includes several other alleged victims, and in one case, it also contained the leaked files.
In the late Summer of 2020, the ransomware operators claimed to have stolen files from entities that include ThyssenKrupp System Engineering, security company Gunnebo, and the provider of Nitonol components Memry.
Some more information regarding Mount Locker ransomware was recently uncovered by MalwareHunterTeam, which acquired a sample of Mount Locker. According to reports, Michael Gillespie of MalwareHunterTeam says that Mount Locker uses ChaCha20 to encrypt victims’ files and an embedded RSA-2048 public key to encrypt its encryption key.
The ransomware then registers the extension in the Registry so that when you click on any encrypted file, it automatically loads the ransom note. The ransom note is titled RecoveryManual.html and contains the instructions on how to access a Tor site where victims can communicate with the ransomware operators.
The Tor site is said to be used only as a chat service, where victims can ask questions and attempt to negotiate a lower ransom with the hackers. At this time, there, unfortunately, is no known way to recover files infected with Mount Locker ransomware for free.
If you are still having trouble, consider contacting remote technical support options.