Go to listing page

Mount Locker Ransomware Learns New Tricks to Evade Detection

Mount Locker Ransomware Learns New Tricks to Evade Detection
Mount Locker, the infamous ransomware strain, has been discovered with several enhancements in its recent campaigns, including more sophisticated scripting, detection evasion, and anti-prevention features. According to researchers, the recent changes in its tactics are apparently related to a rebranding for the malware as AstroLocker.

What has happened?

According to an analysis by GuidePoint Security, the recent updates in features suggest an aggressive shift in Mount Locker’s tactics. The ransomware now has the ability to disable detection and prevention tools.
  • The newly added sophisticated scripts were not just used to disable detection or prevention tools, they were customized and used to target some specific victim’s network environment.
  • Another change in tactics for the group was the use of multiple CobaltStrike servers with unique domains. This step helps in evading detection, however, requires more management.
  • Moreover, the recent changes have been accompanied by an increase in Mount Locker attacks, particularly those discovered to be aimed at organizations in the biotech industry.
  • In addition, healthcare and biotech companies are prime targets for ransomware because they have a lot of cash money, possess highly sensitive info, and cannot halt their business for too long.

Recent connections

  • Last month, a connection between Mount Locker and the Astro Locker team was disclosed by Sophos.
  • Astro Locker’s leak website had names of five organizations, which were also listed as victims in the Mount Locker site.
  • Moreover, it was discovered that some of the leaked data mentioned on the Mount Locker site, was being hosted on the Astro Locker Onion website.


The Mount Locker gang is suspected to be rebranding itself as AstroLocker. Organizations are recommended to look up for signs of AstroLocker or Mount Locker within their environments, such as the presence of CobaltStrike stagers and beacons. Moreover, they can monitor for the exfiltration and staging of files via FTP to prevent attacks from such threats.

Cyware Publisher