Skip to main content

Operator dossier

mountlocker (also tracked as Mount Locker, Mount-Locker) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 18 public victims claimed by this operator between February 7, 2021 and February 8, 2022. MountLocker is a ransomware operation that emerged in mid-2020 and was more prominently observed through early 2021, operating primarily with financial motivation through a Ransomware-as-a-Service model that recruited affiliates to conduct intrusions while the core developers maintained the malware and payment infrastructure. The group is believed to have Eastern European origins, and researchers at CrowdStrike and other firms noted operational and technical overlaps suggesting loose connections to other ransomware ecosystems active during the same period, though definitive attribution to a specific threat actor collective remains limited in public reporting. MountLocker affiliates were observed leveraging exposed Remote Desktop Protocol services and stolen credentials as primary initial access vectors, deploying the MountLocker encryptor alongside the AdFind Active Directory reconnaissance tool and legitimate remote administration utilities to facilitate lateral movement; the group practiced double extortion, exfiltrating sensitive data prior to encryption and threatening publication on a dedicated leak site to compel payment. Based on publicly available telemetry and reporting, the group accumulated at least 18 confirmed victims across manufacturing, construction, transportation and logistics, business services, and healthcare sectors, though no single campaign achieved the notoriety of contemporaneous groups such as REvil or Conti, and no record ransom figures were publicly disclosed. MountLocker's activity declined significantly through mid-2021, with the operation believed to have rebranded or dissolved, potentially transitioning into or merging with the AstroLocker and XingLocker variants that researchers observed using closely related code and infrastructure during the same timeframe.

Most-targeted sectors

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

mountlocker

aka Mount Locker, Mount-Locker · 18 victims indexed · first seen 5 years ago · last activity 4 years ago

18
Victims indexed
#166 of 364 tracked operators
1y 0m
Active period
Feb 2021 → Feb 2022
Countries hit

At a glance

Status
inactive
Aliases
Mount Locker, Mount-Locker
First seen
5 years ago
Last activity
4 years ago
Primary sector
Manufacturing · 9 hits

About

MountLocker is a ransomware operation that emerged in mid-2020 and was more prominently observed through early 2021, operating primarily with financial motivation through a Ransomware-as-a-Service model that recruited affiliates to conduct intrusions while the core developers maintained the malware and payment infrastructure. The group is believed to have Eastern European origins, and researchers at CrowdStrike and other firms noted operational and technical overlaps suggesting loose connections to other ransomware ecosystems active during the same period, though definitive attribution to a specific threat actor collective remains limited in public reporting. MountLocker affiliates were observed leveraging exposed Remote Desktop Protocol services and stolen credentials as primary initial access vectors, deploying the MountLocker encryptor alongside the AdFind Active Directory reconnaissance tool and legitimate remote administration utilities to facilitate lateral movement; the group practiced double extortion, exfiltrating sensitive data prior to encryption and threatening publication on a dedicated leak site to compel payment. Based on publicly available telemetry and reporting, the group accumulated at least 18 confirmed victims across manufacturing, construction, transportation and logistics, business services, and healthcare sectors, though no single campaign achieved the notoriety of contemporaneous groups such as REvil or Conti, and no record ransom figures were publicly disclosed. MountLocker's activity declined significantly through mid-2021, with the operation believed to have rebranded or dissolved, potentially transitioning into or merging with the AstroLocker and XingLocker variants that researchers observed using closely related code and infrastructure during the same timeframe.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

3 months
2021-02-01T00:00:00+00:00 · 12021-09-01T00:00:00+00:00 · 162022-02-01T00:00:00+00:00 · 1
2021-02-01T00:00:00+00:002022-02-01T00:00:00+00:00

Top sectors

Manufacturing
9
Construction
3
Transportation/Logistics
2
Business Services
1
Healthcare
1
Consumer Services
1
Financial Services
1

MITRE ATT&CK

25 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistenceDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1133External Remote Services
  • T1059.001Command and Scripting Interpreter: PowerShell
  • T1059.003Command and Scripting Interpreter: Windows Command Shell
  • T1047Windows Management Instrumentation
  • T1543.003Create or Modify System Process: Windows Service
  • T1562.001Impair Defenses: Disable or Modify Tools
  • T1112Modify Registry
  • T1003.001OS Credential Dumping: LSASS Memory
  • T1003.002OS Credential Dumping: Security Account Manager
  • T1078Valid Accounts
  • T1083File and Directory Discovery
  • T1082System Information Discovery
  • T1135Network Share Discovery
  • T1016System Network Configuration Discovery
  • T1021.002Remote Services: SMB/Windows Admin Shares
  • T1021.001Remote Services: Remote Desktop Protocol
  • T1570Lateral Tool Transfer
  • T1039Data from Network Shared Drive
  • T1041Exfiltration Over C2 Channel
  • T1567Exfiltration Over Web Service
  • T1486Data Encrypted for Impact
  • T1490Inhibit System Recovery
  • T1489Service Stop
  • T1491.001Defacement: Internal Defacement

Recent victims

Loading…

Source

Updated 4 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time mountlocker posts a victim.

Add mountlocker to your watchlist — Pro pings you within 5 minutes of any new mountlocker leak-site post, Telegram callout, or affiliate-rebrand inference.