Sophos published a new report on a recently uncovered connection between the Mount Locker ransomware group and a new group, called “Astro Locker Team.”

In a nutshell, Sophos recently detected ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attackers’ chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling itself “AstroLocker Team” or “Astro Locker Team.” Astro Locker appears to be a new ransomware family – but appearances can be deceptive.

When comparing the Astro Locker leak site to the Mount Locker leak site, investigators noted that all five of the organizations listed on the Astro Locker site were also listed as victims on the Mount Locker site. Digging in further, the size of the data leaks on all five matched and shared some of the same links to the leaked data.

Looking at the matching links more closely, Sophos experts noticed one last connection: some of the leaked data linked on the Mount Locker site was being hosted on the Astro Locker onion site: http[:]//anewset****.onion

While it is unclear what the relationship is between Mount Locker and Astro Locker, defenders should consider both when dealing with a ransomware attack, Sophos researchers say.

Peter Mackenzie, manager of Sophos’ Rapid Response team, says, “In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like RyukREvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’ Rapid Response team. “It is possible that the Mount Locker group wants to rebrand itself to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program with Astro Locker as a significant branded affiliate. It could even be that the Mount Locker group is using the Astro Locker name to pretend they have such an affiliate. Regardless, if any organization becomes a victim of ‘Astro Locker’ in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.”

For the full report, please visit