Sophos identifies connection between Mount Locker and Astro Locker team ransomware

April 5, 2021

Sophos published a new report on a recently uncovered connection between the Mount Locker ransomware group and a new group, called “Astro Locker Team.”

In a nutshell, Sophos recently detected ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attackers’ chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling itself “AstroLocker Team” or “Astro Locker Team.” Astro Locker appears to be a new ransomware family – but appearances can be deceptive.

When comparing the Astro Locker leak site to the Mount Locker leak site, investigators noted that all five of the organizations listed on the Astro Locker site were also listed as victims on the Mount Locker site. Digging in further, the size of the data leaks on all five matched and shared some of the same links to the leaked data.

Looking at the matching links more closely, Sophos experts noticed one last connection: some of the leaked data linked on the Mount Locker site was being hosted on the Astro Locker onion site: http[:]//anewset****.onion

While it is unclear what the relationship is between Mount Locker and Astro Locker, defenders should consider both when dealing with a ransomware attack, Sophos researchers say.

Peter Mackenzie, manager of Sophos’ Rapid Response team, says, “In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’ Rapid Response team. “It is possible that the Mount Locker group wants to rebrand itself to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program with Astro Locker as a significant branded affiliate. It could even be that the Mount Locker group is using the Astro Locker name to pretend they have such an affiliate. Regardless, if any organization becomes a victim of ‘Astro Locker’ in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.”

For the full report, please visit https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/

Developing Mutually Beneficial Public/Private Partnerships in Security

This webinar will offer industry best practices to help your security team create or expand a sustainable program that aids in the fulfillment of your organization’s goals and objectives, while assisting your local agencies in fulfilling some of theirs as well — ultimately offering stronger security and response across both.

This year promises to build on the technological and business model innovations of last year, refine their value propositions, and play a key part for organizations who are navigating through covid-19 and planning for a post-Covid era.

Poll

Video Surveillance

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Sophos identifies connection between Mount Locker and Astro Locker team ransomware

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Sophos identifies connection between Mount Locker and Astro Locker team ransomware

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.