Go to listing page

Close Ties Surface Between Mount Locker and Astro Locker Team Ransomware Groups

Close Ties Surface Between Mount Locker and Astro Locker Team Ransomware Groups
Sophos Managed Threat Response team has uncovered a series of close ties between Mount Locker and Astro Locker Team ransomware groups. According to the security team, it could be an effort to rebrand themselves for striking fear into targets that could lead to higher payouts in ransom.

The connection 

Recently, the team dealt with an attack that had all the TTPs of a Mount Locker operation. However, following the link in the ransom note led to a support team that introduced themselves as the Astro Locker Team.
  • Further investigation revealed five victim organizations listed on Astro Locker Team’s leak site, along with the Mount Locker site as well.
  • In addition, some of the leaked data associated with the Mount Locker site was hosted on Astro Locker Team’s onion site.
  • Mount Locker could be using Astro Locker Team’s name to show that it now has a new affiliate for its RaaS program. Or it may be a deal between these two groups to boost their RaaS operations.

Recent attacks and affiliations

The Mount Locker gang is very active since the end of last year and has targeted several entities with massive ransom demands.
  • Mount Locker could be sharing some back-end services with the Ragnar Locker group, however, the former is not part of its RaaS operation yet.
  • Recently, the Mount Locker gang threatened to release data stolen from shipping firm, ECU Worldwide.
  • In January, the Mount Locker gang targeted Amey PLC and demanded a massive ransom of $2 billion.


It appears that the Mount Locker group is strongly working toward rebranding itself as a professional cybercriminal. Additionally, it could be an effort to begin its own RaaS program for increased revenue. Thus, organizations must always take backup of their important data to stay protected.
Cyware Publisher