New Ransomware Group Stealing Files Before Encrypting
Ransomware groups have developed to follow a new and simple technique to increase their effectiveness of extortions. This is by stealing sensitive data like customers’ personal information, patents, or other secretive information before encrypting them with their malware. This gives them an added advantage of threatening the victim better. Following this method is the latest ransomware group called Mount Locker, which is spotted by researchers at BleepingComputer and MalwareHunter Team, who said the group is demanding millions of dollars in ransom from some of its victims. The group is said to be active since this year’s July end, and have reportedly stolen about 400GB worth of data from a target. BleepingComputer reported the group has demanded about two million dollars in ransom, and when the company failed to pay, it leaked their stolen data on their darknet site. The group’s malware, after stealing the data, will change add a ReadManual.C77BFF8C code to all the encrypted file extensions’. Later, they register the extension in their directory to show up their ransom note whenever the encrypted file is opened. BleepingComputer has obtained a sample of this ransomware from the MalwareHunter Team, which revealed the group is using ChaCha20 cipher to encrypt files and an “embedded RSA-2048 public key to encrypt the encryption key.” Since the group’s encryption is strong and no other details were known as of now, there’s no free decryptor.