MountLocker ransomware received an update recently that cut its size by half but preserves a weakness that could potentially allow learning the random key used to encrypt files.
In a
technical analysis published today, the BlackBerry Research and Intelligence Team notes that the new MountLocker variant comes with a compilation timestamp from November 6.
The malware developers reduced the size of the 64-bit malware variant to 46KB, which is about 50% smaller than the previous version. To get to this, they removed the file extension list with more than 2,600 entries targeted for encryption.
It now targets a much smaller list that excludes easily replaceable file types: .EXE, .DLL, .SYS, .MSI, .MUI, .INF, .CAT, .BAT, .CMD, .PS1, .VBS, .TTF, .FON, .LNK.
The new code is very similar to the old one, the biggest change being the process for deleting volume shadow copies and for terminating processes, which is now done with PowerShell script before encrypting the files.
