Researchers discovered a new ransomware model that seems to be inspired by the modern franchise-based business model. The secrets of the new model were divulged after investigating activities of the XingLocker ransomware group and AstroLocker Team, which actually turned out to be a rebranded version of Mount Locker, the main RaaS.

Explaining the franchise model

The RaaS affiliates were found rebranding the ransomware before deploying it on victims’ systems instead of using the original parent RaaS name.
  • XingLocker, as research suggests, is a rebranded version of Mount Locker since the former was using different onion addresses for each victim but it pointed to the same server.
  • Additionally, an analysis of the HTTP requests to this server revealed other directories that have data of victim companies of the AstroLocker Team, not XingLockers’.
  • This indicates some major overlap in the infrastructure used by these three ransomware strains, which was further verified by several additional facts.

AstroLocker Team, XingLocker, and MountLocker connection

Researchers further identified a typical distribution of resources among the two malware, that points towards the use of a shared infrastructure.
  • Researchers discovered fifteen onion addresses used by seven different servers, out of which four were known and dubbed as A, B, C, and D.
  • It was found that all the seven servers were used by the XingLocker, while the B and C server was used by XingLocker along with the AstroLocker Team.
  • Meanwhile, Sophos' team had already revealed the connection between Mount Locker and AstroLocker Team back in March 2021.


The findings make a franchise RaaS model evident where Mount Locker is at the top of the hierarchy, and the XingLocker and AstroLocker Team are two affiliates using the base malware and a common infrastructure with their own branding. The franchise business model says a lot about innovative strategies being deployed by cyber adversaries.
Cyware Publisher