In a blog post released on Saturday, the researchers said MountLocker has been offered on a ransomware-as-a-service model since July and was updated in November to broaden the file types it targeted and its ability to evade security software.
"The MountLocker ransomware, at less than 100Kb in size, is lightweight and simple in construction," the researchers wrote. "It is typically deployed as either an x86 or x64 Windows portable executable (PE) file, although occasionally as a Microsoft Installer (MSI) package."
Like many other Windows ransomware groups, MountLocker also has a site on the dark web where recent targets who do not pay up are listed. Links to leaked data are also provided.
As to infection vectors, the Blackberry team said attackers who used MountLocker used compromised credentials to gain access to a Windows system through the Remote Desktop Protocol application.
A typical ransom note generated by the Windows MountLocker ransomware. Supplied
"In one instance, after establishing a foothold in an organisation, there was a delay of several days before activity resumed," they wrote.
"It is likely that the threat actors were negotiating with the MountLocker operators to join their affiliate program and obtain the ransomware during this pause.
"Upon obtaining the MountLocker ransomware, the threat actors were observed returning with several 'public' tools, including CobaltStrike Beacon and AdFind from Joeware."
As with several other ransomware groups, data is stolen from victims to serve as an additional means of putting pressure on them to extort a ransom.
The researchers claimed that successful MountLocker affiliates had been known to seek multi-million-dollar payments for decryption services and to prevent public disclosure of stolen data.
The Blackberry team provided a detailed technical breakdown of how the ransomware behaves before, during and after entry.