BlackBerry analysis on MountLocker Ransomware as a Service

[German]Security researchers from BlackBerry have recently published a study dedicated to the MountLocker ransomware. This is now provided to other cyber criminals 'as a service' in exchange for revenue sharing.


Since July 2020, the so-called MountLocker Ransomware as a Service (RaaS) has been on the rise. BlackBerry, a provider of security software and services for the IoT, has revealed the complex structure of MountLocker-related extortions and data leaks.

MountLocker Ransomware as a Service extortion capabilities.

Since October 2020, the BlackBerry Incident Response Team has been actively tracking MountLocker affiliate campaigns as part of ongoing investigations. In collaboration with the BlackBerry Research and Intelligence team, a comprehensive report on MountLocker has been published.


Figure 1. MountLocker kill-chain, Source: Blackberry

The report looks at the operators of this threat, the ransomware, the decryption program, and the tactics, techniques, and procedures (TTPs) involved. Here are some key findings from this report:


  • The MountLocker ransomware was updated in November 2020 to expand the target range of file types and evade security software.
  • Victims' files are encrypted using ChaCha20. The file keys are encrypted with RSA-2048.
  • The ransomware appears to be reasonably robust; there are no trivial vulnerabilities that allow easy key recovery and decryption of data.

The activities of MountLocker 'partners' are also described in the report. Here are some key points:

  • Using commercial off-the-shelf tools such as CobaltStrike Beacon to deliver MountLocker ransomware.
  • Exfiltrating sensitive customer data via FTP prior to encryption.
  • Engaging in extortion and blackmail tactics to force victims to make large payments to recover stolen data and prevent public disclosure.

This combination effectively gives affiliates two ways to earn from these cyber attacks. They can extort victims by encrypting the documents in the ransomware attack. Victims who do not pay are blackmailed with the release of the captured documents. Details can be read in this comprehensive report about MountLocker.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *