T2021_01 WastedLocker Targeted Ransomware (26_January 2021)

What is Wastedlocker?

WastedLocker is a new ransomware operated by a Russian malware exploitation group commonly known as the Evil Corp.

The attacks performed using WastedLocker are highly targeted at very specific organizations. It is suspected that during a first penetration attempt an assessment of active defenses is made and the next attempt will be specifically designed to circumvent the active security software and other perimeter protection. The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string “wasted. For each encrypted file, the attackers create a separate file that contains the ransomware note. The ransom note has the same name as the associated file with the addition of “_info.

Detection Names

Some antivirus software are able to detect this ransomware with varying detection names. They are as follows:

  1. Ad-Aware: Trojan.GenericKD.43266676
  2. AegisLab: Hacktool.Win32.Krap.lKMc
  3. AhnLab-V3: Trojan/Win32.Agent.R341646
  4. Alibaba: TrojanSpy:Win32/DelShad.570a67ca
  5. ALYac: Trojan.Ransom.WastedLocker
  6. Antiy-AVL: GrayWare/Win32.Kryptik.ehls
  7. SecureAge APEX: Malicious
  8. Arcabit: Trojan.Generic.D2943274
  9. Avast: Win32:DangerousSig [Trj]
  10. AVG: Win32:DangerousSig [Trj]
  11. Avira (no cloud): TR/AD.Ursnif.juibm
  12. BitDefender: Trojan.GenericKD.43266676
  13. BitDefenderTheta: Gen:NN.ZexaF.34634.fr1@aK21uqmi
  14. Bkav Pro: W32.AIDetectVM.malware1
  15. CAT-QuickHeal: Trojanransom.Wasted
  16. Comodo: Malware@#3ohvz7lgkeje
  17. Cylance: Unsafe
  18. Cynet: Malicious (score: 100)
  19. Cyren: W32/Trojan.XOJA-2528
  20. DrWeb: Trojan.Encoder.31951
  21. Elastic: Malicious (high Confidence)
  22. Emsisoft: Trojan.GenericKD.43266676 (B)
  23. eScan: Trojan.GenericKD.43266676
  24. ESET-NOD32: Win32/Filecoder.WastedLocker.A
  25. F-Secure: Trojan.TR/AD.Ursnif.juibm
  26. FireEye: Generic.mg.6b20ef8fb494cc6e
  27. Fortinet: W32/Kryptik.HDMT!tr
  28. GData: Trojan.GenericKD.43266676
  29. Gridinsoft: Ransom.Win32.Filecoder.cc
  30. Ikarus: Trojan-Ransom.WastedLocker
  31. Jiangmin: Trojan.DelShad.aar
  32. K7AntiVirus: Spyware ( 0054f96e1 )
  33. K7GW: Spyware ( 0054f96e1 )
  34. Kaspersky: HEUR:Trojan-Ransom.Win32.Wasted.vho
  35. Kingsoft: Win32.Troj.Banker.(kcloud)
  36. Malwarebytes: Ransom.BinADS
  37. MAX: Malware (ai Score=100)
  38. McAfee: Ransom-Wasted
  39. McAfee-GW-Edition: Ransom-Wasted
  40. Microsoft: Trojan:Win32/Gozi.RA!MTB
  41. NANO-Antivirus: Trojan.Win32.Encoder.hlenun
  42. Palo Alto Networks: Generic.ml
  43. Panda: Trj/GdSda.A
  44. Qihoo-360: Win32/Trojan.500
  45. Rising: Trojan.Generic@ML.91 (RDMK:tOcc0LfjbjusFjV5qhjk3g)
  46. Sangfor Engine Zero: Malware
  47. SentinelOne (Static ML): Static AI - Malicious PE
  48. Sophos: Mal/EncPk-APV
  49. Sophos ML: Mal/Generic-R + Mal/EncPk-APV
  50. Symantec: Ransom.WastedLocker
  51. Tencent: Win32.Trojan.Delshad.Wops
  52. TrendMicro: Ransom.Win32.WASTEDLOCKER.YAAF-A
  53. TrendMicro-HouseCall: Ransom.Win32.WASTEDLOCKER.YAAF-A
  54. VBA32: BScope.Malware-Cryptor.Hlux
  55. VIPRE: Trojan.Win32.Generic!BT
  56. ViRobot: Trojan.Win32.S.Ransom.1130896
  57. Webroot: W32.Ransom.Wastedlocker
  58. Yandex: TrojanSpy.Ursnif!kUypWDGQPZw
  59. Zillya: Trojan.Ursnif.Win32.11393
  60. ZoneAlarm by Check Point: HEUR:Trojan-Ransom.Win32.Wasted.vho
  61. Dr.Web vxCube: MALWARE RANSOM
  62. Lastline: MALWARE TROJAN

Method of infection

One of the methods found to date is the usage of fake software update alerts embedded in existing websites. The infection chain for WastedLocker starts with a JavaScript-based attack framework called SocGholish that is distributed as a fake browser update by alerts displayed on legitimate but compromised websites.

The SocGholish framework is delivered as a ZIP file and, if opened and run, it starts an attack chain that involves downloading and executing PowerShell scripts and the Cobalt Strike backdoor designed to create a foothold and gather information about the network.

Once the hackers gain access to a computer on the network of an organization they perform reconnaissance and start deploying various living-off-the-land tools to steal credentials, escalate privileges and move laterally to other machines. The attackers' goal is to identify and gain access to high-value systems such as file servers, database servers and even virtual machines running in the cloud before deploying a victim-tailored WastedLocker binary on them.

How it works

WastedLocker uses a combination of AES and RSA cryptography in its file encryption routine that is similar to other targeted ransomware programs. Every file is encrypted with a unique 256-bit AES key that's generated on the fly. Those AES keys together with other information about the encrypted files are then encrypted with a 4096-bit public RSA key that is hardcoded in the WastedLocker binary. The attackers retain the private part of the RSA key pair which is needed to recover the AES keys and decrypt individual files. Since this is a manually deployed ransomware threat that's customized for every target, the attackers generate unique RSA key pairs for each victim. This means a private key received by one organization after paying the ransom won't work to decrypt files from another impacted organization.

WastedLocker has a mechanism that allows attackers to prioritize certain directories during the encryption routine. This is likely used to ensure that the most important and valuable files are encrypted first in case the encryption process is stopped by some security mechanism.

It is designed to delete shadow copies which are the default backups made by the Windows OS and tries to encrypt files over the network, including remote backups. It uses privilege escalation techniques such as DLL hijacking to obtain system privileges and installs a service that performs the encryption routing. This service is stopped and deleted when the encryption process is complete.

Removing WastedLocker

There are steps that are necessary to be taken when it is suspected that a system is infected with ransomware:

STEP 1. Isolate the infected device(s):

       1. Log out of all cloud storage.

       2. Disconnect the infected device from the network and the internet. You may even go as far as disabling all Network Interface                 Cards.

       3. Disconnect all External Storage devices

STEP 2. Reimage the infected device(s)

STEP 3. Restore clean copy of files from backups.
 

PDF Download: WastedLocker Targeted Ransomware.pdf

Reference

Virustotal.com (2020, November 19). Retrieved from Virus Total: https://www.virustotal.com/gui/file/887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d/detection

Palmer, Danny. (2020, August 4). Ransomware: The tricks used by WastedLocker to make it one of the most dangerous cyber threats. Retrieved from ZDNet: https://www.zdnet.com/article/ransomware-the-tricks-used-by-wastedlocker-to-make-it-one-of-the-most-dangerous-cyber-threats/

Constantin, Lucian. (2020, September 22). WastedLocker explained: How this targeted ransomware extorts millions from victims. Retrieved from CSO: https://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html

Arntz, Pieter. (2020, July 10). Threat spotlight: WastedLocker, customized ransomware. Retrieved from Malwarebytes Labs: https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/