MountLocker
MountLocker is ransomware referenced in reporting on intrusion activity and malware delivery chains. The provided content links MountLocker to at least two access-and-deployment ecosystems. First, CrowdStrike-assessed activity described Prophet Spider as an access broker that exploited unpatched Oracle WebLogic Server vulnerabilities, including CVE-2020-14882 and CVE-2020-14750, as well as older Oracle flaws such as CVE-2016-0545 and SQL injection, to gain initial access to victim environments and likely sell that access to ransomware operators including MountLocker. In that reporting, Prophet Spider was observed compromising vulnerable web servers and public-facing applications, and researchers reported incidents where its intrusions preceded ransomware deployment. Second, CERT-FR/ANSSI reporting states that the BumbleBee loader has previously been used to deploy ransomware including MountLocker, alongside Conti, Quantum, Diavol, and Akira. BumbleBee distribution methods in the cited report include phishing, malicious advertisements, malicious sites offering fake software, email thread hijacking, and delivery by other malware such as Emotet and Raspberry Robin. The content does not provide technical details on MountLocker’s internal functionality, encryption behavior, specific victim sectors, operating systems, or direct indicators of compromise.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Researchers noticed a recent trend in which Prophet Spider uses CVE-2020-14882 and CVE-2020-14750 to get a foothold into target environments. Both CVEs relate to path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution.
Researchers noticed a recent trend in which Prophet Spider uses CVE-2020-14882 and CVE-2020-14750 to get a foothold into target environments. Both CVEs relate to path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Prophet Spider functioned as an access broker and likely granted access to Egregor and MountLocker ransomware operators in exchange for payment.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"attackers exploit Oracle WebLogic server flaws to access target environments" ... "uses CVE-2020-14882 and CVE-2020-14750 to get a foothold" ... "path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution." | "Prophet Spider has also been seen using older Oracle CVEs such as CVE-2016-0545, as well as gaining initial access via SQL injection."
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family referenced as a downstream payload/operator that may have received access from Prophet Spider for ransomware deployment.
Rançongiciel mentionné comme charge historiquement déployée via BumbleBee.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.