The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. Ransomware-as-a-Service (RaaS) started operating in July 2020. Developers are in charge of programming the software and payment site, and affiliates are recruited to hack businesses and encrypt their devices. As part of this arrangement, the core team receives a smaller cut of 20-30% of a ransom payment, while the affiliate gets the rest. In March 2021, a new group ransomware group emerged called ‘Astro Locker’ that began using a customized version of the ransomware with ransom notes pointing to their own payment and data leak sites.
Source: https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-windows-api-to-worm-through-networks/