Since its discovery at the end of July 2020, the MountLocker ransomware has been growing rapidly, and it has now become very prominent and geographically diverse. Recently, BlackBerry researchers published a technical analysis of a new MountLocker variant.

Key findings

The latest MountLocker version first surfaced in the wild in late-November, with a compilation timestamp from early-November.
  • The new MountLocker ransomware variant is considerably smaller in size than the previous versions, owing to the removal of the vast list of file extensions it targets. It shares approximately 70% similarity with the initial MountLocker release, with no apparent changes.
  • The MountLocker operators have been relying on affiliates for an initial intrusion into corporate networks. The Ransomware-as-a-Service (RaaS) and affiliate program deploy the ransomware widespread, seeking multimillion-dollar payments for decryption services.
  • MountLocker affiliates were observed using public tools such as CobaltStrike Beacon and AdFind in these attacks for reconnaissance and lateral movement on the network, while FTP was used to exfiltrate sensitive client data prior to encryption.

The recent MountLocker attacks

  • In the second half of November, the same version had added file extensions such as .tax, .tax2009, .tax2013, .tax2014, associated with the TurboTax software for preparing tax return documents.
  • In the same month, the ransomware group had targeted Sonoma Valley Hospital and stole and leaked its data online.
  • MountLocker had targeted Sweden’s security firm Gunnebo AB in October.


The MountLocker group has been observed expanding its scope and improving its capabilities in a very short span of time. The ransomware has been able to target victims around the world and now, with improved capabilities and affiliation, it is likely to become a prominent threat for global organizations.

Cyware Publisher