Skip to content
Ransomware group

MountLocker

MountLocker is ransomware referenced in reporting on intrusion activity and malware delivery chains.

Profile source: Mallory opens in a new tab

MountLocker

Family profile

MountLocker is ransomware referenced in reporting on intrusion activity and malware delivery chains. The provided content links MountLocker to at least two access-and-deployment ecosystems. First, CrowdStrike-assessed activity described Prophet Spider as an access broker that exploited unpatched Oracle WebLogic Server vulnerabilities, including CVE-2020-14882 and CVE-2020-14750, as well as older Oracle flaws such as CVE-2016-0545 and SQL injection, to gain initial access to victim environments and likely sell that access to ransomware operators including MountLocker. In that reporting, Prophet Spider was observed compromising vulnerable web servers and public-facing applications, and researchers reported incidents where its intrusions preceded ransomware deployment. Second, CERT-FR/ANSSI reporting states that the BumbleBee loader has previously been used to deploy ransomware including MountLocker, alongside Conti, Quantum, Diavol, and Akira. BumbleBee distribution methods in the cited report include phishing, malicious advertisements, malicious sites offering fake software, email thread hijacking, and delivery by other malware such as Emotet and Raspberry Robin. The content does not provide technical details on MountLocker’s internal functionality, encryption behavior, specific victim sectors, operating systems, or direct indicators of compromise.

Ransomware.live

Operational record

View group record ↗

Exfiltration

  • MEGA
  • PrivatLab

Reported operators

Threat actors

1 named in public reporting
ToyMaker

Prophet Spider functioned as an access broker and likely granted access to Egregor and MountLocker ransomware operators in exchange for payment.

Exploited software

Vulnerabilities linked to MountLocker

2 CVEs

MITRE ATT&CK

MountLocker in ATT&CK

1 distinct techniques

Reporting

Research mentioning MountLocker

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.