MountLocker Ransomware Now Abusing Windows Active Directory To Propagate Through Network

MountLocker Ransomware is undergoing continuous development and is now using Windows Active Directory APIs to worm through networks it infects. MountLocker began life in July 2020 as Ransomware-as-a-Service (RaaS), where developers create strains of malware and lease them out to other hackers to use on businesses and organizations. The RaaS market is highly competitive, and MountLocker Ransomware has been making a name for itself as one of the best. As part of the business arrangement, the MountLocker Ransomware team gets a cut of about 25% of every ransom, while affiliates bag the remaining 75%. Different RaaS manufacturers have different terms, but a divide similar to this is most common.

In March 2021, a new group ransomware group emerged called ‘Astro Locker‘ that began using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites. This was thought by many in the cybersecurity community to be some sort of rebranding by the developers.

In a statement to BleepingComputer, Astro Locker said, “”It’s not a rebranding, probably we can define it as an alliance”.

Astro Locker appeared as a more sophisticated version of MountLocker Ransomware. In May 2021, an even newer version appeared – XingLocker.

The sample was shared by MalwareHunterTeam on Twitter and further analyzed by BleepingComputer. Both confirmed that the sample contains a new worm feature that allows it to spread and encrypt to other devices on the network. The worm can be enabled by running the malware sample with the /NETWORK command-line argument, meaning it could still be in a state of very early development.

The sample was sent to Advanced Intel CEO Vitali Kremez, who discovered that MountLocker is now using the Windows Active Directory Service Interfaces API as part of its worm feature.

MountLocker ransomware first uses the NetGetDCName() function to retrieve the name of the domain controller. Then it performs LDAP queries against the domain controller’s ADS using the ADsOpenObject() function with credentials passed on the command line.

Using the Active Directory Service Interfaces API

Once it connects to the Active Directory services, it will iterate over the database for objects of ‘objectclass=computer’, as shown in the image above.

For each object it finds, MountLocker will attempt to copy the ransomware executable to the remote device’s ‘\C$\ProgramData’ folder.

MountLocker ransomware will then remotely create a Windows service that loads the executable so it can proceed to encrypt the device.

Creating and launching the ransomware service

Using this API, MountLocker ransomware can find all devices that are part of the compromised Windows domain and encrypt them using stolen domain credentials.

“Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan,” Kremez stated

“This is the quantum shift of professionalizing ransomware development for corporate network exploitation.”

As Windows network administrators commonly use this API, Kremez believes the threat actor who added this code likely has some Windows domain administration experience.”

While this API has been seen in other malware, such as TrickBot, this may be the first “corporate ransomware for professionals” to use these APIs to perform built-in reconnaissance and spreading to other devices.

MountLocker Ransomware Analysis

This analysis was carried out by independent ransomware researcher Zawadi Done.

For encryption, MountLocker ransomware uses Chacha20 to encrypt files and RSA-2048 to encrypt the encryption key. But before the encryption procedure runs, MountLocker ransomware performs a few tasks that increase the effectiveness of the ransomware. 

Both files are packed with a packer written in Visual Basic. The packer checks if the process is being debugged using IsDebuggerPresent if not it continues to unpack the executable into a created segment. Using x64dbg and PE-bear I dumped the full executable from memory and modified the image base and section headers.

The serial number of the used drive is retrieved and used as mutex value. Every time an encrypted file is opened the recovery manual of the ransomware is also opened.

To run a Powershell script it will create a file in the temporary folder C:\Users\IEUser\AppData\Local\Temp\.tmp and write a Powershell script to the file shown belown.

The Powersehll script is then executed by calling:

powershell.exe -windowstyle hidden -c $mypid=’972′[System.IO.File] :: ReadAllText (‘C:\Users\IEUser\AppData\Local \Temp\~1399171.tmp’)|iex”)

This results in the shadow copies being deleted and a list of services and processes being stopped.

Using the API calls CryptAcquireContextW, CryptImportKey, CryptEncrypt an embedded RSA-2048 key is imported and used to encrypt 32 bytes generated by the instruction rdtsc. The plaintext and ciphertext of the bytes will later be used to encrypt other values. MountLocker ransomware will search for all types of drives and it skips the following file extensions and directories.

Using CreateFileW and CreateFileMappingW it creates a filehandle and a handle to the file in memory. Instead of using MoveFileW to change the file name, it uses the SetFileInformationByHandle to change the extension of the file.

Using Chacha20 file_32_bytes will be encrypted with 32_bytes as key and the first 12 bytes of 32_bytes as the nonce. Let’s call the ciphertext encrypted_32_bytes. Then it writes file_encrypted_32_bytes and encrypted_32_bytes to the end of the file that will be encrypted.

Using MapViewOfFile the file is mapped in memory with as length the files size or 0x4000000 bytes. This buffer will then be encrypted with Chacha20 using file_32_bytes as key and the first 12 bytes of file_32_bytes as the nonce. After the buffer is encrypted it calls MapViewOfFile to store the buffer to the file on disk.

The encryption procedure is described in the diagram below.


After the files are encrypted, MountLocker ransomware will delete itself.

The MountLocker ransomware drops a ransom note in every folder that it encrypts with the name RecoveryManual.html. This note includes a ClientId which can be used to contact the threat actor on their own “support” portal. This ClientId is based on the computer name XOR’ed by a hardcoded value.


With threats like Mount Locker Ransomware evolving and expanding everyday, it is important individuals and business owners have adequate protection tools to keep their devices safe. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *