MountLocker is a ransomware group that emerged in February 2021, operating primarily with financial motivations through targeted attacks against enterprise networks. The group appears to operate independently rather than as a Ransomware-as-a-Service model, with limited public information available regarding their country of origin or affiliations to other cybercriminal organizations. MountLocker typically gains initial access through compromised Remote Desktop Protocol (RDP) credentials and exploits vulnerabilities in internet-facing applications, subsequently deploying their custom ransomware payload that encrypts files and demands payment for decryption keys. Based on documented incidents, the group has demonstrated a particular focus on targeting transportation systems infrastructure, with approximately 18 known victims identified through their operations. The group's current operational status remains unclear, as public reporting on MountLocker activities has been limited compared to more prominent ransomware families, though no definitive law enforcement disruption has been publicly announced. The group has been linked to 18 public disclosures across our corpus. First observed on a leak site on February 7, 2021; most recent post February 8, 2022. The operation is currently inactive.
Also tracked as: Mount Locker, Mount-Locker.
How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.
