Security experts have uncovered a series of close links between ransomware groups Mount Locker and Astro Locker Team, in a new report that will be of interest to incident responders.

Sophos’ Managed Threat Response (MTR) team said it recently dealt with an attack that had all the TTPs of a Mount Locker operation. However, when it followed the link in the ransom note, the researchers were met by a ‘support’ team who introduced themselves as “Astro Locker Team.”

On further investigation, the MTR found all five of the victim organizations listed on the Astro Locker Team leak site were also on the equivalent Mount Locker site. It also found that some of the leaked data linked to the Mount Locker site were being hosted on the Astro Locker onion site.

“In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil, and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’s Rapid Response team.

“It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program. Regardless, if any organizations become a victim of Astro Locker in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.”

Mackenzie argued that Mount Locker could be using the Astro name to pretend the group has a major new affiliate for its new RaaS program, or it may be a legitimate deal designed to accelerate its transition to becoming a RaaS operation.

“Branding is a powerful force for ransomware groups. Good branding can come from a single threat group being skilled at hitting high-value targets and avoiding detection — such as DoppelPaymer — or by running a successful RaaS network — like Sodinokibi or Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of payouts,” he concluded.

“Mount Locker has proven itself as a less sophisticated ransomware group, so a pivot to an affiliate program might be a way to create a new brand and move up the hierarchy of threat groups.”

Sophos also claimed that Mount Locker may be sharing some back-end services with the Ragnar Locker group, although the latter doesn’t seem to be part of its RaaS scheme yet.