SpearTip was able to obtain a malicious DLL responsible for a newly identified variant of ransomware known as MountLocket. At the time of testing, this file hash isn’t even searchable on the site VirusTotal or any major malware sites utilized by security researchers. The sample obtained appears to be sought after by the high profile ransomware researcher Michael Gillespie of the site ID Ransomware. SpearTip is scraping necessary information for proper upload and further reverse analysis.

SpearTip has begun reverse engineering the sample to learn more about the full functionality of the malicious executable.  A large percentage of the malware SpearTip encounters utilizes the technique of process injection to escalate privileges and evade any systems defenses and the sample of MountLocket is no different. Process injection consists of executing arbitrary code into the address space of legitimate running process.  The malicious DLL obtained by SpearTip directly interacts with the Windows API to execute its malicious behaviors. Specifically, the DLL abuses the Windows process regsvr32.exe to proxy the execution of malicious code and evade system defenses.

Here is a screenshot of the MountLocket function responsible for creating the ransom note on affected systems:

Filename: apex32-649e69d1b4e989640173252aadc58aad.dll

SHA1 Hash Value: 609829e1262671f75fd8b7cfb1af7a016a427cf8

The attack vectors used by MountLocket are similar to other forms of ransomware and an infection could occur though externally facing RDP or through malicious email attachments based on the typical attack vector SpearTip has developed.  The operators of MountLocket are demanding a ransom payment of $2,000,000 in order for victim organizations to unlock their files.

Detecting and blocking attempts to inject malicious code into legitimate processes like MountLocket uses is one of the key modules within SpearTip’s ShadowSpear Platform.  Our toolset is able to detect and prevent MountLocket before any of the malicious functions can successfully execute on a system.

To prevent being a victim of ransomware, SpearTip recommends having a solid back-up policy, a reliable EDR tool, and a security team monitoring incoming alerts on a 24/7 basis.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.