win.wastedlocker (Back to overview)



WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.

2022-07-31BushidoToken BlogBushidoToken
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker
2022-06-13Jorge TestaJorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-23Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp
Dridex WastedLocker
2022-02-01Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker
2022-01-25Seguranca InformaticaPedro Tavares
WastedLocker malware analysis
2022-01-24CyCraftCyCraft AI
The Road to Ransomware Resilience, Part 2: Behavior Analysis
Conti Prometheus WastedLocker
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-06-16ProofpointDaniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577
2021-06-06Bleeping ComputerLawrence Abrams
New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx PayloadBIN WastedLocker
2021-05-26DeepInstinctRon Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-20Github (microsoft)Microsoft
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy
2021-05-18BitdefenderAron Radu, Bogdan Botezatu, George Mihali, Mihai Neagu, Ștefan Trifescu
New WastedLoader Campaign Delivered Through RIG Exploit Kit
WastedLoader WastedLocker
2021-05-05TRUESECMattias Wåhlén
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker
2021-03-25Bleeping ComputerSergiu Gatlan
Evil Corp switches to Hades ransomware to evade sanctions
Hades WastedLocker
2021-03-25Bleeping ComputerLawrence Abrams
Insurance giant CNA hit by new Phoenix CryptoLocker ransomware
2021-03-24CiscoCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Winter 2020-21
Egregor REvil WastedLocker
2021-03-17CrowdStrikeAdam Podlosky, Brendon Feeley
INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions
FriedEx WastedLocker
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-12-21Cisco TalosJON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-08-31SymantecThreat Hunter Team
Sophisticated Groups and Cyber Criminals Set Sights on Lucrative Financial Sector
MVISION Insights: Wastedlocker Ransomware
2020-08-16Hatena Blog谷川哲司
WastedLocker IoC collection
2020-08-04SophosLabs UncutAnand Ajjan, Mark Loman
WastedLocker’s techniques point to a familiar heritage
2020-07-31Kaspersky LabsFedor Sinitsyn
WastedLocker: technical analysis
2020-07-30Palo Alto Networks Unit 42Adrian McCabe, Alex Hinchliffe, Doel Santos, Robert Falcone
Threat Assessment: WastedLocker Ransomware
2020-07-28SecuronixOleg Kolesnikov
Detecting WastedLocker Ransomware Using Security Analytics
2020-07-24BleepingComputerSergiu Gatlan
Garmin outage caused by confirmed WastedLocker ransomware attack
2020-07-23Sentinel LABSJim Walter
WastedLocker Ransomware: Abusing ADS and NTFS File Attributes
2020-07-10MalwarebytesPieter Arntz
Threat spotlight: WastedLocker, customized ransomware
2020-07-06Cisco TalosArnaud Zobec, Ben Baker, Edmund Brumaghin, JJ Cummings
WastedLocker Goes "Big-Game Hunting" in 2020
2020-07-01AreteArete Incident Response
WastedLocker Ransomware Insights
2020-06-26BBCBBC News
Russian hacker group Evil Corp targets US workers at home
WastedLocker Evil Corp
2020-06-26SymantecCritical Attack Discovery and Intelligence Team
WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations
donut_injector WastedLocker
2020-06-23NCC GroupMichael Sandee, Nikolaos Pantazopoulos, Stefano Antenucci
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020-05-31Medium walmartglobaltechJason Reaves, Joshua Platt
WastedLoader or DridexLoader?
Dridex WastedLocker
2020-01-01Palo Alto Networks Unit 42Unit42
Yara Rules
[TLP:WHITE] win_wastedlocker_auto (20230808 | Detects win.wastedlocker.)
rule win_wastedlocker_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.wastedlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { e8???????? 8bf0 ff7508 6a00 ff35???????? ff15???????? 5f }
            // n = 7, score = 1000
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   5f                   | pop                 edi

        $sequence_1 = { 8945e4 8d45dc 50 c745dc18000000 897de0 }
            // n = 5, score = 1000
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   c745dc18000000       | mov                 dword ptr [ebp - 0x24], 0x18
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi

        $sequence_2 = { 50 e8???????? 83c40c 56 8d85c8f1ffff 53 50 }
            // n = 7, score = 1000
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   56                   | push                esi
            //   8d85c8f1ffff         | lea                 eax, [ebp - 0xe38]
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_3 = { ffd3 8bf8 85ff 7419 6a20 57 ffd3 }
            // n = 7, score = 1000
            //   ffd3                 | call                ebx
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7419                 | je                  0x1b
            //   6a20                 | push                0x20
            //   57                   | push                edi
            //   ffd3                 | call                ebx

        $sequence_4 = { 8d45ec 50 8d45d4 50 6816011200 }
            // n = 5, score = 1000
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   6816011200           | push                0x120116

        $sequence_5 = { 3b45d0 0f8382000000 894dd8 394de0 740b 0fb703 034710 }
            // n = 7, score = 1000
            //   3b45d0               | cmp                 eax, dword ptr [ebp - 0x30]
            //   0f8382000000         | jae                 0x88
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   394de0               | cmp                 dword ptr [ebp - 0x20], ecx
            //   740b                 | je                  0xd
            //   0fb703               | movzx               eax, word ptr [ebx]
            //   034710               | add                 eax, dword ptr [edi + 0x10]

        $sequence_6 = { ff35???????? ff15???????? 5f ff75f8 ff15???????? }
            // n = 5, score = 1000
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     

        $sequence_7 = { 6a00 ff35???????? ff15???????? 8bd8 85db 7469 8b450c }
            // n = 7, score = 1000
            //   6a00                 | push                0
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7469                 | je                  0x6b
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_8 = { 2500f0ffff 56 0500100000 50 56 b812345607 }
            // n = 6, score = 1000
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   56                   | push                esi
            //   0500100000           | add                 eax, 0x1000
            //   50                   | push                eax
            //   56                   | push                esi
            //   b812345607           | mov                 eax, 0x7563412

        $sequence_9 = { bf04010000 ffd3 8bf0 85f6 746a 57 56 }
            // n = 7, score = 1000
            //   bf04010000           | mov                 edi, 0x104
            //   ffd3                 | call                ebx
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   746a                 | je                  0x6c
            //   57                   | push                edi
            //   56                   | push                esi

        7 of them and filesize < 147456
Download all Yara Rules