Security researchers at Blackberry say that a new strain of ransomware has popped up that uses affiliates to spread malware. Since July, the researchers say that MountLocker has been available as ransomware-as-a-service (RaaS) and was updated this November to broaden the file types it targets and how it gets past security.

The malware is less than 100kb in size, making it simple to use and lightweight. It is deployable as either x86 or x64 Windows portable executable file and sometimes as a Microsoft Installer (MSI) package. The ransomware encrypts data on targeted computers and then demands Bitcoin as ransom. The hackers threaten to leak stolen information if they aren’t paid.

The modus operandi

Blackberry researchers say that the ransomware uses an affiliate route to find targets. The investigations reveal that the threat actors used remote desktops (RDPs) with compromised credentials to access their target’s environment.

After gaining a foothold in an organization, the attackers laid low for a couple of days before resuming activity in one of the cases.

The researchers believe that this pause may be accounted for by the likelihood that the attackers may have been negotiating with MountLocker operators to get on the affiliate program and get the ransomware. After they obtained it, they returned with publicly available tools to continue their strike.

A bleaker outlook

Blackberry noted that MountLocker’s “News and Leaks” lists only five victims. However, the number will likely go up as the activities increase. Researchers said that the people behind MountLocker are in the warm-up phase of their operation.

They started slowly in July and are gaining ground quite rapidly. The high-profile nature of extorting companies and leaking data has led to an increase in ransoms.

MountLocker affiliates are usually fast operators and exit with sensitive information while encrypting the rest in just a few hours.

Tip: BlackBerry secures mobile devices on the fly