Menu
Browse

Cyber Threat Actor: Mount Locker

Actor Type Location Known Incidents
 Icon
Criminal
Russia
3 incidents
Profile

Mount Locker, also known as Mount Locker, is a ransomware group that has been publicly linked to operations originating from Russia. The group has targeted organizations in the education sector, such as the Peel District School Board in Canada, critical infrastructure providers like the UK‑based Amey PLC that manages bin collections and street cleaning, and biomedical research firms including Miltenyi Biotec in Germany. These attacks demonstrate a pattern of seeking monetary extortion through ransom demands, with the group demanding a $2 billion payment from Amey PLC and multi‑million dollar sums in other incidents, while also causing disruption to victims’ networks and services.

Mount Locker ransomware employs a double extortion model, exfiltrating data before encrypting systems and threatening to publish the stolen information unless a ransom is paid. The malware uses the ChaCha20 stream cipher combined with RSA‑2048 for key protection, a combination that currently leaves no free decryption option for victims. Ransom notes observed in attacks indicate that the group creates a dedicated leak site where portions of the exfiltrated data are released as proof of the breach. While the specific initial access vectors used by Mount Locker are not detailed in the available sources, the group’s activity began in July 2020 and has been associated with the deployment of ransomware payloads that encrypt files on compromised networks.

Public reporting shows that Mount Locker operates independently but has interacted with other threat actors; for example, Conti actors publicly promoted the Amey PLC breach and directed journalists to the leak site, although they stated they were not directly involved in the attack. The group’s location in Russia is noted in threat‑intelligence references, but no explicit state sponsorship or affiliation with a criminal consortium has been established in the material provided. Representative campaigns attributed to Mount Locker include the January 2021 incident affecting the Peel District School Board, the December 2020 ransomware attack on Amey PLC that resulted in the leakage of 143 GB of data, and the November 2020 breach of Miltenyi Biotec where approximately 150 GB were stolen and a fraction published on the group’s leak site.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
2 sources