Mount Locker Ransomware Targets U.S. Taxpayers

What happened?

• Mount Locker ransomware operators are specifically centering their attacks on taxpayers.  
• The ransomware encrypts files that have specific file extensions, including .tax, .tax2009, .tax2013, and .tax2014—which are all associated with the TurboTax software.
• The ransomware is strangely targeting file extensions that belonged to specific tax years. After encryption, every encrypted file appended with extensions has a string “tax” into it.

Recent tax-related threats

• Cyber attacks on tax-related schemes are becoming very common and prominent, trying to harness and exploit tax-related concerns and activities by potential victims.
• Recently, a tax-related scam was found targeting the residents in the U.K, luring them with text messages related to the ongoing HM Revenue and Customs (HMRC) tax rebate scheme.
• A few weeks ago, Mount Locker had targeted and stolen data from the Swedish Tax Agency, as well as Gunnebo AB and Sweden’s national legislation and supreme decision-maker Riksdag.

Ransomware incidents are frequent

• Egregor ransomware operators targeted retail giant Cencosud and stole sensitive files. A week later it hijacked all the printers in the office to gain victims’ attention.
• Capcom, a well-known gamer maker, was hit in the first week of this month by Ragnar Locker ransomware that exposed its customer records.

Conclusion