Mount Locker, a ransomware operation that was first discovered in July, is now preparing to take advantage of the tax season in the U.S. Recently, the ransomware operators have been observed specifically targeting TurboTax returns for encryption. The software is used for the preparation of American income tax returns.

What happened?

Cybercriminals behind this ransomware are using a double extortion tactic in which victims are warned that their data will be leaked online if the ransom is not paid. This tactic is very common among almost all ransomware families.
  • Mount Locker ransomware operators are specifically centering their attacks on taxpayers.  
  • The ransomware encrypts files that have specific file extensions, including .tax, .tax2009, .tax2013, and .tax2014—which are all associated with the TurboTax software.
  • The ransomware is strangely targeting file extensions that belonged to specific tax years. After encryption, every encrypted file appended with extensions has a string “tax” into it.

Recent tax-related threats

  • Cyber attacks on tax-related schemes are becoming very common and prominent, trying to harness and exploit tax-related concerns and activities by potential victims.
  • Recently, a tax-related scam was found targeting the residents in the U.K, luring them with text messages related to the ongoing HM Revenue and Customs (HMRC) tax rebate scheme.
  • A few weeks ago, Mount Locker had targeted and stolen data from the Swedish Tax Agency, as well as Gunnebo AB and Sweden’s national legislation and supreme decision-maker Riksdag.

Ransomware incidents are frequent

  • Egregor ransomware operators targeted retail giant Cencosud and stole sensitive files. A week later it hijacked all the printers in the office to gain victims’ attention.
  • Capcom, a well-known gamer maker, was hit in the first week of this month by Ragnar Locker ransomware that exposed its customer records.


Cybercriminals always wait for an opportunity to strike and tax season appears to be one such opportunity they have focused on. Therefore, experts suggest having backups of TurboTax files and other important documents. In addition, always stay alert while receiving an email asking for tax details or do not open it.

Cyware Publisher