New WastedLocker Ransomware distributed via fake program updates

Posted by & filed under Security Alerts.

The Russian cybercrime group known as Evil Corp has added a new ransomware to its arsenal called WastedLocker. This ransomware is used in targeted attacks against the enterprise.

The Evil Corp gang, also known by CrowdStrike as Indrik Spider, started as affiliates for the ZeuS botnet. Over time, they formed into a group that focused on distributing the banking trojan and downloader called Dridex via phishing emails.

As their attacks evolved, the group created a ransomware called BitPaymer which was delivered via the Dridex malware in targeted attacks against corporate networks.

In a new report by NCC Group’s Fox-IT security research team, researchers explain that after the indictment of Evil Corp members, Igor Olegovich Turashev and Maksim Viktorovich Yakubets, the hacking group began restructuring their tactics.

As part of this restructure, Evil Corp has begun distributing a new ransomware variant called WastedLocker in targeted attacks against businesses.

“Evil Corp are selective in terms of the infrastructure they target when deploying their ransomware. Typically, they hit file servers, database services, virtual machines and cloud environments. Of course, these choices will also be heavily influenced by what we may term their ‘business model’ – which also means they should be able to disable or disrupt backup applications and related infrastructure,” Fox-IT researcher Stefano Antenucci (@Antelox) explains in the report.

To deliver the ransomware, Evil Corp is hacking into sites to insert malicious code that displays fake software update alerts from the SocGholish fake update framework.

One of the payloads sent in these attacks is the Cobalt Strike penetration testing and post-exploitation toolkit, which Evil Corp uses to gain access to the infected device.

The threat actors then use this access to compromise the network further and deploy the WastedLocker Ransomware.

Fox-IT noted that unlike DoppelPaymer attacks, a ransomware created by a group who split from Evil Corp in 2019, WastedLocker attacks do not appear to steal data before encrypting files.

“It is interesting that the group has not appeared to have engaged in extensive information stealing or threatened to publish information about victims in the way that the DoppelPaymer and many other targeted ransomware operations have. We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public,” Antenucci theorized.

Taking WastedLocker for a spin

When launched, the WastedLocker ransomware will pick a random EXE or DLL file under C:\Windows\System32 and use that file’s name to create a new file without an extension under the %AppData% folder.

Attached to this file is an alternative data stream named ‘bin’, which will then be executed.

According to Fox-IT, once executed, the ransomware will attempt to encrypt all drives on the computer, skipping files in specific folders or containing certain extensions.

“Instead of including a list of extension targets, WastedLocker includes a list of directories and extensions to exclude from the encryption process. Files with a size less than 10 bytes are also ignored and in case of a large file, the ransomware encrypts them in blocks of 64MB.”

These attacks are targeted, which means that the ransomware is built specifically to target a company.

As part of this customization, the ransomware will combine the ‘wasted’ string and the company’s initials to generate an extension that is appended to a victim’s encrypted files.

For example, as shown below, the extension is .eswasted, with ‘es’ being the victim’s initials. If Acme Corporation was the victim, it might be .acwasted.

For every file that is encrypted, WastedLocker will also create an accompanying ransom note ending with _info.

For example, if Acme Corporation’s files were encrypted, the 1.doc file would be encrypted and renamed to 1.doc.acwasted, and a ransom note will be created called 1.jpg.acwasted_info, as shown below.

This tactic is strange, as no program can open it automatically compared to a ransom note using the .txt extension.

This ransom note contains both a protonmail.com and tutanota.com email address and instructions to contact them for the ransom amount.

Antenucci said that these ransom demands range from $500,000 to millions of dollars.

WastedLocker appears to be secure at this point, which means there is no way to decrypt files for free.

 

IOCs

Associated WastedLocker files:

[file_name].info
%AppData%\Service:bin
%AppData%\Arbiters:bin

Ransom note text:

[victim_name]

YOUR NETWORK IS ENCRYPTED NOW

USE xx@PROTONMAIL.COM | xx@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA

DO NOT GIVE THIS EMAIL TO 3RD PARTIES

DO NOT RENAME OR MOVE THE FILE

THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]xxxx[end_key]
KEEP IT

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.