Security gurus have uncovered a collection of shut backlinks amongst ransomware groups Mount Locker and Astro Locker Group, in a new report that will be of curiosity to incident responders.
Sophos’ Managed Menace Reaction (MTR) workforce mentioned it not too long ago dealt with an attack that experienced all the TTPs of a Mount Locker operation. However, when it followed the backlink in the ransom notice, the scientists were fulfilled by a ‘support’ crew who released on their own as “Astro Locker Group.”
On further investigation, the MTR found all five of the sufferer companies listed on the Astro Locker Group leak web-site were being also on the equal Mount Locker web site. It also found that some of the leaked knowledge linked to on the Mount Locker web site was remaining hosted on the Astro Locker onion web-site.
“In new incidents the place Sophos gurus investigated and neutralized an lively Mount Locker attack, we observed numerous tactics that suggest these attackers are not as subtle as other ransomware teams like Ryuk, REvil and DoppelPaymer,” stated Peter Mackenzie, supervisor of Sophos’s Immediate Response group.
“It is attainable that the Mount Locker group needs to rebrand on their own to develop a new and more specialist picture, or it could be an endeavor to kickstart a genuine ransomware-as-a-services (RaaS) method. No matter, if any organizations become a victim of Astro Locker in the upcoming, they really should examine the TTPs of the two Mount Locker and Astro Locker.”
Mackenzie argued that Mount Locker could be utilizing the Astro title to fake the team has a main new affiliate for its new RaaS system, or it may well be a legit offer developed to speed up its transition to starting to be a RaaS operation.
“Branding is a potent pressure for ransomware groups. Very good branding can occur from a solitary menace group getting competent at hitting superior worth targets and steering clear of detection — this kind of as DoppelPaymer — or by operating a thriving RaaS network — like Sodinokibi or Egregor. Highly effective branding with ransomware teams can strike panic in targets and direct to a bigger chance of payouts,” he concluded.
“Mount Locker has established alone as a much less advanced ransomware group, so a pivot to an affiliate software may possibly be a way to generate a new model and shift up the hierarchy of danger teams.”
Sophos also claimed that Mount Locker might be sharing some again-close products and services with the Ragnar Locker group, while the latter doesn’t look to be section of its RaaS scheme yet.
Some components of this report are sourced from: