I. Targeted Industries
- General Networks
- Enterprise Companies
- Small-to-Mid-Sized Companies
NCC Group’s Fox-IT security team recently discovered a new ransomware called WastedLocker. This ransomware originates from the Russian cybercrime group called Evil Corp. Active since 2007, the gang mostly focused on distributing banking trojans and other malicious malware. The group had been silent since the Department of Justice (DoJ) filed criminal charges against them in December of 2019. However, beginning in May, Evil Corp has begun carefully targeting victims with its new ransomware weapon called WastedLocker. The group demands ransoms between $500,000 to millions of dollars.
III. Background Information
The Russian cyber group Evil Corp is known for the Zeus banking Trojan and the BitPaymer malware. The gang however recently changed their tactics, techniques, and procedures during the past couple of months when developing the WastedLocker ransomware. Despite targeted attacks against businesses, the ransomware does not include any data theft functions. This malware is striking database services, cloud environments, file servers, and VM’s. The term “WastedLocker” comes from the filename it creates which includes an abbreviation of the victim’s name followed by ‘wasted’.
To deliver the ransomware, the Russian gang hacks into sites to insert malicious code that displays fake software updates. This delivers a custom Cobalt Strike loader onto the targeted system. In some cases, the payload can detect Crowdstrike’s cybersecurity endpoint solution. When launched the ransomware will target removable, fixed, shared and remote drives for encryption, ignoring files smaller than 10 bytes as well as any blacklisted directories or extensions. If WastedLocker is not executed with admin rights it will attempt to escalate the privileges.
Once the ransomware runs its encryption process, it will produce a log file with the number of successfully encrypted files and the number of targeted files. Every encrypted file also comes with a ransom note ending in _info. The note contains emails and instructions to contact them for a ransom amount. This ransomware is currently secure and there is no way to decrypt files for free.
For an in-depth analysis of the WastedLocker ransomware, see recommended article: https://bit.ly/2VozqEa
- Scheduled Backups
Back up data regularly and store externally from the company network.
- Incorporate Known IOCs into IDS
Incorporate the known IOC of the malware into your intrusion detection system to catch any suspicious behavior related to the malware.
- Malware Monitoring
Continue to monitor and stay informed as new information and advancements occur with the malware.
- Patch Updates
Update consistently and patch vulnerabilities.
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Abrams, Lawrence. “New WastedLocker Ransomware Distributed via Fake Program Updates.” BleepingComputer. BleepingComputer, June 25, 2020. https://www.bleepingcomputer.com/news/security/new-wastedlocker-ransomware-distributed-via-fake-program-updates/.
(2) Antenucci, Stefano. “WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group.” NCC Group Research, June 23, 2020. https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/.
(3) Arghire, Ionut. “Dridex Operators Develop ‘WastedLocker’ Ransomware.” SecurityWeek, June 24, 2020. https://www.securityweek.com/dridex-operators-develop-wastedlocker-ransomware.
(4) Barth, Bradley. “Evil Corp Debuts WastedLocker Ransomware & New TTPs, Researchers Say.” SC Media, June 23, 2020. https://www.scmagazine.com/home/security-news/evil-corp-debuts-wastedlocker-ransomware-and-new-ttps-researchers-say/.
(5) Cimpanu, Catalin. “New WastedLocker Ransomware Demands Payments of Millions of USD.” ZDNet. ZDNet, June 23, 2020. https://www.zdnet.com/article/new-wastedlocker-ransomware-demands-payments-of-millions-of-usd/.