SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wastedlocker (Back to overview)

WastedLocker


WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.

References
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-08-31SymantecThreat Hunter Team
@techreport{team:20200831:sophisticated:7cf4dfe, author = {Threat Hunter Team}, title = {{Sophisticated Groups and Cyber Criminals Set Sights on Lucrative Financial Sector}}, date = {2020-08-31}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf}, language = {English}, urldate = {2020-09-23} } Sophisticated Groups and Cyber Criminals Set Sights on Lucrative Financial Sector
WastedLocker
2020-08-28McAfeeMcAfee
@online{mcafee:20200828:mvision:0bd3a1e, author = {McAfee}, title = {{MVISION Insights: Wastedlocker Ransomware}}, date = {2020-08-28}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US}, language = {English}, urldate = {2020-10-02} } MVISION Insights: Wastedlocker Ransomware
WastedLocker
2020-08-16Hatena Blog谷川哲司
@online{:20200816:wastedlocker:4210f22, author = {谷川哲司}, title = {{WastedLocker IoC collection}}, date = {2020-08-16}, organization = {Hatena Blog}, url = {https://ioc.hatenablog.com/entry/2020/08/16/132853}, language = {Japanese}, urldate = {2020-10-02} } WastedLocker IoC collection
WastedLocker
2020-07-31Kaspersky LabsFedor Sinitsyn
@online{sinitsyn:20200731:wastedlocker:2eebe51, author = {Fedor Sinitsyn}, title = {{WastedLocker: technical analysis}}, date = {2020-07-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/wastedlocker-technical-analysis/97944/}, language = {English}, urldate = {2020-08-05} } WastedLocker: technical analysis
WastedLocker
2020-07-24BleepingComputerSergiu Gatlan
@online{gatlan:20200724:garmin:05d9247, author = {Sergiu Gatlan}, title = {{Garmin outage caused by confirmed WastedLocker ransomware attack}}, date = {2020-07-24}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/}, language = {English}, urldate = {2020-07-30} } Garmin outage caused by confirmed WastedLocker ransomware attack
WastedLocker
2020-07-23Sentinel LABSJim Walter
@online{walter:20200723:wastedlocker:aa88222, author = {Jim Walter}, title = {{WastedLocker Ransomware: Abusing ADS and NTFS File Attributes}}, date = {2020-07-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/}, language = {English}, urldate = {2020-07-24} } WastedLocker Ransomware: Abusing ADS and NTFS File Attributes
WastedLocker
2020-07-10MalwarebytesPieter Arntz
@online{arntz:20200710:threat:f64cac0, author = {Pieter Arntz}, title = {{Threat spotlight: WastedLocker, customized ransomware}}, date = {2020-07-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/}, language = {English}, urldate = {2020-07-15} } Threat spotlight: WastedLocker, customized ransomware
WastedLocker
2020-07-06Cisco TalosBen Baker, Edmund Brumaghin, JJ Cummings, Arnaud Zobec
@online{baker:20200706:wastedlocker:f33e129, author = {Ben Baker and Edmund Brumaghin and JJ Cummings and Arnaud Zobec}, title = {{WastedLocker Goes "Big-Game Hunting" in 2020}}, date = {2020-07-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html}, language = {English}, urldate = {2020-07-07} } WastedLocker Goes "Big-Game Hunting" in 2020
WastedLocker
2020-07AreteArete Incident Response
@techreport{response:202007:wastedlocker:f08d83b, author = {Arete Incident Response}, title = {{WastedLocker Ransomware Insights}}, date = {2020-07}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf}, language = {English}, urldate = {2020-07-30} } WastedLocker Ransomware Insights
WastedLocker
2020-06-26SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200626:wastedlocker:0e9c75c, author = {Critical Attack Discovery and Intelligence Team}, title = {{WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations}}, date = {2020-06-26}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us}, language = {English}, urldate = {2020-06-26} } WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations
WastedLocker
2020-06-23NCC GroupNikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020Palo Alto Networks Unit 42Unit42
@online{unit42:2020:wastedlockerransomware:7c809d3, author = {Unit42}, title = {{Wastedlocker-ransomware}}, date = {2020}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/}, language = {English}, urldate = {2020-10-02} } Wastedlocker-ransomware
WastedLocker
Yara Rules
[TLP:WHITE] win_wastedlocker_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_wastedlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 50 6a18 8d7de0 f3ab 8d4ddc 51 }
            // n = 7, score = 500
            //   50                   | push                eax
            //   50                   | push                eax
            //   6a18                 | push                0x18
            //   8d7de0               | lea                 edi, [ebp - 0x20]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   51                   | push                ecx

        $sequence_1 = { ff74241c ffd3 8bf0 85f6 7444 8d042e }
            // n = 6, score = 500
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   ffd3                 | call                ebx
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7444                 | je                  0x46
            //   8d042e               | lea                 eax, [esi + ebp]

        $sequence_2 = { 83c038 50 ff7508 e8???????? 2b75f8 83c40c }
            // n = 6, score = 500
            //   83c038               | add                 eax, 0x38
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   2b75f8               | sub                 esi, dword ptr [ebp - 8]
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { 8bc6 bb00f0ffff 23c3 8d443802 }
            // n = 4, score = 500
            //   8bc6                 | mov                 eax, esi
            //   bb00f0ffff           | mov                 ebx, 0xfffff000
            //   23c3                 | and                 eax, ebx
            //   8d443802             | lea                 eax, [eax + edi + 2]

        $sequence_4 = { 50 8d85a8e9ffff 50 8d85f8fdffff 50 }
            // n = 5, score = 500
            //   50                   | push                eax
            //   8d85a8e9ffff         | lea                 eax, [ebp - 0x1658]
            //   50                   | push                eax
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax

        $sequence_5 = { 56 ff15???????? 395d08 7428 8b4628 }
            // n = 5, score = 500
            //   56                   | push                esi
            //   ff15????????         |                     
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   7428                 | je                  0x2a
            //   8b4628               | mov                 eax, dword ptr [esi + 0x28]

        $sequence_6 = { 57 e8???????? 83c40c 6a04 58 8945fc eb03 }
            // n = 7, score = 500
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6a04                 | push                4
            //   58                   | pop                 eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   eb03                 | jmp                 5

        $sequence_7 = { ffd0 8bf0 3bf3 742e 681234560b }
            // n = 5, score = 500
            //   ffd0                 | call                eax
            //   8bf0                 | mov                 esi, eax
            //   3bf3                 | cmp                 esi, ebx
            //   742e                 | je                  0x30
            //   681234560b           | push                0xb563412

        $sequence_8 = { 5f 03c2 5e 89410c 5b c9 c20400 }
            // n = 7, score = 500
            //   5f                   | pop                 edi
            //   03c2                 | add                 eax, edx
            //   5e                   | pop                 esi
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20400               | ret                 4

        $sequence_9 = { 8bec 8b4518 81ec0c020000 53 56 8b30 }
            // n = 6, score = 500
            //   8bec                 | mov                 ebp, esp
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   81ec0c020000         | sub                 esp, 0x20c
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b30                 | mov                 esi, dword ptr [eax]

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules