CybersecurityManagementSecurity NewswireCybersecurity News

Sophos identifies connection between Mount Locker and Astro Locker team ransomware

ransomware
April 5, 2021

Sophos published a new report on a recently uncovered connection between the Mount Locker ransomware group and a new group, called “Astro Locker Team.”

In a nutshell, Sophos recently detected ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attackers’ chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling itself “AstroLocker Team” or “Astro Locker Team.” Astro Locker appears to be a new ransomware family – but appearances can be deceptive.

When comparing the Astro Locker leak site to the Mount Locker leak site, investigators noted that all five of the organizations listed on the Astro Locker site were also listed as victims on the Mount Locker site. Digging in further, the size of the data leaks on all five matched and shared some of the same links to the leaked data.

Looking at the matching links more closely, Sophos experts noticed one last connection: some of the leaked data linked on the Mount Locker site was being hosted on the Astro Locker onion site: http[:]//anewset****.onion

While it is unclear what the relationship is between Mount Locker and Astro Locker, defenders should consider both when dealing with a ransomware attack, Sophos researchers say.

Peter Mackenzie, manager of Sophos’ Rapid Response team, says, “In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like RyukREvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’ Rapid Response team. “It is possible that the Mount Locker group wants to rebrand itself to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program with Astro Locker as a significant branded affiliate. It could even be that the Mount Locker group is using the Astro Locker name to pretend they have such an affiliate. Regardless, if any organization becomes a victim of ‘Astro Locker’ in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.”

For the full report, please visit https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/

KEYWORDS: cyber security ransomware risk management

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Related Articles

Related Products

See More ProductsSee More Products

Events

View AllSubmit An Event
  • June 6, 2012

    Basic Remote Connection for AXIS Camera Companion

    In this webinar, you will learn how to setup basic forwarding rules and Network address translation (NAT) in a router. We will also show you how to setup remote connection using AXIS Camera Companion.
View AllSubmit An Event

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!