Sophos identifies connection between Mount Locker and Astro Locker team ransomware

April 5, 2021

Sophos published a new report on a recently uncovered connection between the Mount Locker ransomware group and a new group, called “Astro Locker Team.”

In a nutshell, Sophos recently detected ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attackers’ chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling itself “AstroLocker Team” or “Astro Locker Team.” Astro Locker appears to be a new ransomware family – but appearances can be deceptive.

When comparing the Astro Locker leak site to the Mount Locker leak site, investigators noted that all five of the organizations listed on the Astro Locker site were also listed as victims on the Mount Locker site. Digging in further, the size of the data leaks on all five matched and shared some of the same links to the leaked data.

Looking at the matching links more closely, Sophos experts noticed one last connection: some of the leaked data linked on the Mount Locker site was being hosted on the Astro Locker onion site: http[:]//anewset****.onion

While it is unclear what the relationship is between Mount Locker and Astro Locker, defenders should consider both when dealing with a ransomware attack, Sophos researchers say.

Peter Mackenzie, manager of Sophos’ Rapid Response team, says, “In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’ Rapid Response team. “It is possible that the Mount Locker group wants to rebrand itself to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program with Astro Locker as a significant branded affiliate. It could even be that the Mount Locker group is using the Astro Locker name to pretend they have such an affiliate. Regardless, if any organization becomes a victim of ‘Astro Locker’ in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.”

For the full report, please visit https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Organizations rely on application innovation, particularly API-driven applications, to fuel their business transformation and growth. Attackers know this and are constantly looking for ways to find the unfindable and break the unbreakable. They’ve got tools, motivation, and time on their side.

Poll

Comparison Metrics

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Sophos identifies connection between Mount Locker and Astro Locker team ransomware

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Sophos identifies connection between Mount Locker and Astro Locker team ransomware

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.