Experts identified a cybercriminal group called XingLocker that uses a customized MountLocker ransomware version. The latter was spotted using enterprise Windows Active Directory APIs to worm through networks.