NEW PRESS RELEASE: SOD Awarded $2.2 M Grant to Futher Develop AQ Technology | Click Here
wasted-locker

Wasted Locker: The Most Advanced Ransomware Yet

Written By Jordan Kalm, TRU Cyber Threat Intelligence Analyst

Overview

Wasted Locker is a newer, more advanced strain of ransomware, wreaking havoc since roughly May of 2020. It is believed to have been developed by the same threat group who created both the Dridex banking Trojan and Bitpaymer ransomware. The name for the ransomware was given due to the fact that it appends encrypted files with ‘wasted’, which is a clever play on a Grand Theft Auto cultural meme that belies the seriousness of being targeted by this insidious and evasive ransomware. Several Fortune 500 companies in the US have already been targeted by the creators of this malware, causing over $60 million in damages.

The Initial attack

The initial attack vectors vary, as with most of the more advanced ransomware. One somewhat unique method used by Wasted Locker is the use of fake software or browser update alerts embedded in existing websites. These can be malicious websites or domains owned by the malware operators or sometimes benign websites that have been the victims of malicious JavaScript injections. Clicking on these messages downloads a loader malware, usually Cobalt Strike, which is a penetration testing software that has been frequently utilized by threat groups for lateral escalation and data gathering.

Dedication to obfuscation

One of the unique aspects of Wasted Locker is its dedication to evasion. Like Clop and Maze ransomware, Wasted Locker transparently encrypts cached documents in memory by using memory-mapped file access. This makes it very difficult to see this behavior through behavioral monitoring because the data is served from memory instead of disk. Wasted Locker takes this a step further by closing each file when complete, which means anti-ransomware tools will have a difficult time determining whether the malicious process or a benign process wrote the file, due to how the Windows Cache Manager works. Anti-ransomware solutions that correlate activity based on process creation, file creation and file close operations will miss all this activity.

In many other ways, the ransomware is very similar to its older brother, Bitpaymer. For example, Wasted Locker abuses alternate data streams by appending itself to a clean system file and executing itself as a service component of a clean file, which gives the appearance that the clean file is the source of the ransomware behavior. It also abuses user account controls by adding a .cmd file to the registry key of a common event, which will run when an elevated event viewer executable is run. This executes the .cmd file which then runs the ransomware binary.

How do you stop it?

Wasted Locker attacks both the backups and main file locations quietly, making it very difficult to detect. Online backups are not safe when dealing with modern ransomware. In this case, only offline backups would be safe. As of yet, the group behind this ransomware does not exfiltrate the data it encrypts, this means that currently, no organization has had to respond to the publishing or auctioning of sensitive data.

The most effective way of stopping the ransomware is to prevent it from gaining any traction on your system, through the use of good defense tools and monitoring.  Security On-Demand’s Advanced Analytics and Log Analysis technology is built to detect anomalies and unknown threats invading your system.

Though there is no perfect solution for ransomware protection, our continuing innovation towards 6th generation threat detection capabilities allow us to find many of the indicators and hidden threats associated with ransomware. Currently, our best ransomware detection capability is our anomaly detection, which shows us when devices and hosts are doing things they have never done before. In addition, our Threat Recon Unit (TRU) is dedicated to find the best threat intel so that we can improve our alerting, help us tune our watchlist for specific ransomware indicators, and keep our customers informed.

For more information about our services, contact us here.