What is Wastedlocker?
WastedLocker is a new ransomware operated by a Russian malware exploitation group commonly known as the Evil Corp.
The attacks performed using WastedLocker are highly targeted at very specific organizations. It is suspected that during a first penetration attempt an assessment of active defenses is made and the next attempt will be specifically designed to circumvent the active security software and other perimeter protection. The ransomware name is derived from the filename it creates which includes an abbreviation of the victims name and the string wasted. For each encrypted file, the attackers create a separate file that contains the ransomware note. The ransom note has the same name as the associated file with the addition of _info.
Some antivirus software are able to detect this ransomware with varying detection names. They are as follows:
Method of infection
The SocGholish framework is delivered as a ZIP file and, if opened and run, it starts an attack chain that involves downloading and executing PowerShell scripts and the Cobalt Strike backdoor designed to create a foothold and gather information about the network.
Once the hackers gain access to a computer on the network of an organization they perform reconnaissance and start deploying various living-off-the-land tools to steal credentials, escalate privileges and move laterally to other machines. The attackers” goal is to identify and gain access to high-value systems such as file servers, database servers and even virtual machines running in the cloud before deploying a victim-tailored WastedLocker binary on them.
How it works
WastedLocker uses a combination of AES and RSA cryptography in its file encryption routine that is similar to other targeted ransomware programs. Every file is encrypted with a unique 256-bit AES key that”s generated on the fly. Those AES keys together with other information about the encrypted files are then encrypted with a 4096-bit public RSA key that is hardcoded in the WastedLocker binary. The attackers retain the private part of the RSA key pair which is needed to recover the AES keys and decrypt individual files. Since this is a manually deployed ransomware threat that”s customized for every target, the attackers generate unique RSA key pairs for each victim. This means a private key received by one organization after paying the ransom won”t work to decrypt files from another impacted organization.
WastedLocker has a mechanism that allows attackers to prioritize certain directories during the encryption routine. This is likely used to ensure that the most important and valuable files are encrypted first in case the encryption process is stopped by some security mechanism.
It is designed to delete shadow copies which are the default backups made by the Windows OS and tries to encrypt files over the network, including remote backups. It uses privilege escalation techniques such as DLL hijacking to obtain system privileges and installs a service that performs the encryption routing. This service is stopped and deleted when the encryption process is complete.
There are steps that are necessary to be taken when it is suspected that a system is infected with ransomware:
STEP 1. Isolate the infected device(s):
1. Log out of all cloud storage.
2. Disconnect the infected device from the network and the internet. You may even go as far as disabling all Network Interface Cards.
3. Disconnect all External Storage devices
STEP 2. Reimage the infected device(s)
STEP 3. Restore clean copy of files from backups.
PDF Download: WastedLocker Targeted Ransomware.pdf
Virustotal.com (2020, November 19). Retrieved from Virus Total: https://www.virustotal.com/gui/file/887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d/detection
Palmer, Danny. (2020, August 4). Ransomware: The tricks used by WastedLocker to make it one of the most dangerous cyber threats. Retrieved from ZDNet: https://www.zdnet.com/article/ransomware-the-tricks-used-by-wastedlocker-to-make-it-one-of-the-most-dangerous-cyber-threats/
Constantin, Lucian. (2020, September 22). WastedLocker explained: How this targeted ransomware extorts millions from victims. Retrieved from CSO: https://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html
Arntz, Pieter. (2020, July 10). Threat spotlight: WastedLocker, customized ransomware. Retrieved from Malwarebytes Labs: https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/