Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Mount Locker ransomware operators demand multi-million dollar ransoms

The operators behind new ransomware dubbed Mount Locker have adopted the same tactic of other gangs threatening the victims to leak stolen data. A new ransomware gang named Mount Locker has started its operations stealing victims’ data before encrypting. According to BleepingComputer, the ransomware operators are demanding multi-million dollar ransoms. Like other ransomware operators, Mount […]

Mount Locker

The operators behind new ransomware dubbed Mount Locker have adopted the same tactic of other gangs threatening the victims to leak stolen data.

A new ransomware gang named Mount Locker has started its operations stealing victims’ data before encrypting.

According to BleepingComputer, the ransomware operators are demanding multi-million dollar ransoms.

Like other ransomware operators, Mount Locker started targeting corporate networks, it has been active since the end of July 2020.

“From ransom notes shared with BleepingComputer by victims, the Mount Locker gang is demanding multi-million dollar ransom payments in some cases.” reported BleepingComputer.

Mount Locker
Mount Locker ransom note (Source BleepingComputer)

In one of the attacks attributed to the group, the gang stole 400 GB of data from the victim and threatened it to share them with the its competitors, the media outlets, and TV channels, if the ransom is not paid.

The victim decided to not pay the ransom and the group published its data on its data leak site.

Currently, the data leak site includes the name of other alleged victims, and for one of them, it contained the leaked files.

Recently the ransomware operators claimed to have stolen the files from ThyssenKrupp System Engineering, from security company Gunnebo, and the provider of Nitonol components Memry, and Makalot.

https://twitter.com/ransomleaks/status/1309512461654077441
https://twitter.com/ransomleaks/status/1309514131150700545
https://twitter.com/ransomleaks/status/1309515088081170432
https://twitter.com/ransomleaks/status/1309517513991036928

According to the popular malware researchers Michael Gillespie, the Mount Locker uses ChaCha20 to encrypt the files and an embedded RSA-2048 public key to encrypt the encryption key.

The malware appends the extension .ReadManual.ID to the filenames of the encrypted files.

The ransom note, named RecoveryManual.html, includes instructions on how to access a Tor site, which is a chat service, that allows victims to communicate with the ransomware operators.

Experts confirmed that the encryption process implemented by the ransomware is not affected by any flaw, this means that it is not possible to recover the victims’ files for free.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]