MorLock Ransomware Attacking Organizations to Steal Business Data

A new group known as MorLock ransomware has intensified its attacks on Russian businesses, causing disruptions and financial losses.

This group, first identified at the beginning of 2024, has already compromised nine medium to large Russian companies.

The Rise of Morlock

Morlock has quickly become one of the most active cyber gangs targeting Russian entities.


Free Webinar : Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:

Key Takeaways:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Start protecting your APIs from hackers

Utilizing sophisticated ransomware variants such as LockBit 3 (Black) and Babuk, MorLock’s operations are characterized by their stealth and financial motivations despite attempts to disassociate from any political agendas.

FACCT reports the activation of a new criminal group called MorLock ransomware.

MorLock’s approach involves exploiting vulnerabilities in public applications and compromised credentials, which are often acquired through dark web marketplaces like the Russian Market.

The group’s methodical preparation includes disabling Russian corporate antivirus systems via administrative access, allowing the unfettered spread of their ransomware within the victim’s network.

Tools of the Trade

The arsenal of tools employed by Morlock is extensive, including:

  • LockBit 3 (Black) and Babuk: Primary ransomware tools for encrypting data.
Administrator's message about blocking accounts on
Administrator’s message about blocking accounts on

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

  • Sliver and Godzilla web-shell: For maintaining persistence and control over the compromised systems.
  • SoftPerfect Network Scanner and PingCastle: For network reconnaissance.
  • PsExec and AnyDesk: To execute and manage the ransomware across the network.

These tools facilitate rapid deployment of the ransomware, typically completing their damaging work within a few days of gaining access.

Message from one of the banned forum participants.
Message from one of the banned forum participants.

Unlike other ransomware groups that exfiltrate data to leverage double extortion tactics, MorLock solely focuses on encryption, demanding ransoms that can reach hundreds of millions of rubles.

During negotiations, these demands may be halved, yet they remain substantially higher than those of other groups.

Cybersecurity Responses and Recommendations

Given the severity and sophistication of MorLock’s attacks, businesses are urged to enhance their cybersecurity measures.

This includes regularly updating security systems, training employees on cybersecurity best practices, and employing multi-factor authentication to safeguard against credential compromises.

Using the victim’s web browser, the attackers downloaded a few tools onto hosts straight from official websites.

List of all MorLock tools, including ransomware, in their entirety:

  • LockBit 3 (Black)
  • Babuk (ESXi, NAS)
  • Silver
  • Facefish
  • Godzilla web-shell
  • SoftPerfect Network Scanner
  • PingCastle
  • resocks
  • localtonet
  • pretender
  • AnyDesk
  • putty
  • XenAllPasswordPro
  • nssm
  • PsExec

The emergence of MorLock ransomware is a stark reminder of the evolving landscape of cyber threats.

Russian businesses, particularly those in critical sectors, must remain vigilant and proactive in their cybersecurity efforts to fend off these financially motivated attacks that aim to cripple operations and extort substantial ransoms.

 Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.