Security experts have discovered a series of close links between ransomware groups Mount Locker and Astro Locker Team in a new report of attention to incident responders.
Sophos’ (MTR) Managed Threat Response team said it lately dealt with an attack with all the TTP of a Mount Locker Operation. However, when it followed the ransom note link, the researchers were met by a “support” team introducing themselves as “Astro Locker Team.”
On further examination, the MTR Team found all five of the victim corporations posted on the Astro Locker Team leak website were also on the Mount Locker website. MTR Team also discovered that the Astro Locker Onion Website hosted the same leaked data linked to the Mount Locker site.
“In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil, and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’s Rapid Response Team.
“The Mount Locker group may want to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program. Regardless, if any organizations become a victim of Astro Locker in the future, they should investigate the TTP of both Mount Locker and Astro Locker.”
Mackenzie disputed that Mount Locker could be using the Astro name to pretend the group has a significant new affiliate for its new RaaS program, or it may be a fair deal intended to expedite its transition to becoming a RaaS operation.
“Branding is a powerful force for ransomware groups. Good branding can come from a single threat group being skilled at hitting high-value targets and avoiding detection – such as DoppelPaymer – or running a successful RaaS network – like Sodinokibi Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of payouts,” he concluded.
“Mount Locker has proven itself as a less sophisticated ransomware group, so a pivot to an affiliate program might be a way to create a new brand and move up the hierarchy of threat groups.”
Sophos also challenged that Mount Locker may be partaking in some back-end services with the Ragnar Locker group. However, the latter doesn’t seem to be part of its RaaS scheme yet.