SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wastedlocker (Back to overview)

WastedLocker


WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.

References
2022-07-31BushidoToken BlogBushidoToken
@online{bushidotoken:20220731:space:636e570, author = {BushidoToken}, title = {{Space Invaders: Cyber Threats That Are Out Of This World}}, date = {2022-07-31}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html}, language = {English}, urldate = {2022-08-02} } Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-23Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
@online{pirozzi:20220223:sanctions:aae1c98, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp}}, date = {2022-02-23}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/}, language = {English}, urldate = {2022-02-26} } Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp
Dridex WastedLocker
2022-02Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
@techreport{pirozzi:202202:sanctions:2213742, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp}}, date = {2022-02}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf}, language = {English}, urldate = {2022-05-17} } Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker
2022-01-25Seguranca InformaticaPedro Tavares
@online{tavares:20220125:wastedlocker:f0b5b69, author = {Pedro Tavares}, title = {{WastedLocker malware analysis}}, date = {2022-01-25}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/wastedlocker-malware-analysis/#.YfAaIRUITTY.twitter}, language = {English}, urldate = {2022-02-14} } WastedLocker malware analysis
WastedLocker
2022-01-24CyCraftCyCraft AI
@online{ai:20220124:road:2070066, author = {CyCraft AI}, title = {{The Road to Ransomware Resilience, Part 2: Behavior Analysis}}, date = {2022-01-24}, organization = {CyCraft}, url = {https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd}, language = {English}, urldate = {2022-03-02} } The Road to Ransomware Resilience, Part 2: Behavior Analysis
Conti Prometheus WastedLocker
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-06-06Bleeping ComputerLawrence Abrams
@online{abrams:20210606:new:8c47cad, author = {Lawrence Abrams}, title = {{New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions}}, date = {2021-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/}, language = {English}, urldate = {2021-06-16} } New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx PayloadBIN WastedLocker
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-20Github (microsoft)Microsoft
@online{microsoft:20210520:microsoft:41112d3, author = {Microsoft}, title = {{Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares}}, date = {2021-05-20}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries}, language = {English}, urldate = {2021-05-25} } Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy
2021-05-18BitdefenderMihai Neagu, Bogdan Botezatu, George Mihali, Aron Radu, Ștefan Trifescu
@techreport{neagu:20210518:new:52eb07f, author = {Mihai Neagu and Bogdan Botezatu and George Mihali and Aron Radu and Ștefan Trifescu}, title = {{New WastedLoader Campaign Delivered Through RIG Exploit Kit}}, date = {2021-05-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf}, language = {English}, urldate = {2021-05-19} } New WastedLoader Campaign Delivered Through RIG Exploit Kit
WastedLoader WastedLocker
2021-05-05TRUESECMattias Wåhlén
@online{whln:20210505:are:61bb8a0, author = {Mattias Wåhlén}, title = {{Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?}}, date = {2021-05-05}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/}, language = {English}, urldate = {2021-05-08} } Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker
2021-03-25Bleeping ComputerSergiu Gatlan
@online{gatlan:20210325:evil:5b966ff, author = {Sergiu Gatlan}, title = {{Evil Corp switches to Hades ransomware to evade sanctions}}, date = {2021-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/}, language = {English}, urldate = {2021-03-30} } Evil Corp switches to Hades ransomware to evade sanctions
Hades WastedLocker
2021-03-25Bleeping ComputerLawrence Abrams
@online{abrams:20210325:insurance:5e12adf, author = {Lawrence Abrams}, title = {{Insurance giant CNA hit by new Phoenix CryptoLocker ransomware}}, date = {2021-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/}, language = {English}, urldate = {2021-03-30} } Insurance giant CNA hit by new Phoenix CryptoLocker ransomware
WastedLocker
2021-03-24CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20210324:quarterly:4707c30, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Winter 2020-21}}, date = {2021-03-24}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html}, language = {English}, urldate = {2021-03-25} } Quarterly Report: Incident Response trends from Winter 2020-21
Egregor REvil WastedLocker
2021-03-17CrowdStrikeAdam Podlosky, Brendon Feeley
@online{podlosky:20210317:indrik:65d1f3f, author = {Adam Podlosky and Brendon Feeley}, title = {{INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions}}, date = {2021-03-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/}, language = {English}, urldate = {2021-03-19} } INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions
FriedEx WastedLocker
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-08-31SymantecThreat Hunter Team
@techreport{team:20200831:sophisticated:7cf4dfe, author = {Threat Hunter Team}, title = {{Sophisticated Groups and Cyber Criminals Set Sights on Lucrative Financial Sector}}, date = {2020-08-31}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf}, language = {English}, urldate = {2020-09-23} } Sophisticated Groups and Cyber Criminals Set Sights on Lucrative Financial Sector
WastedLocker
2020-08-28McAfeeMcAfee
@online{mcafee:20200828:mvision:0bd3a1e, author = {McAfee}, title = {{MVISION Insights: Wastedlocker Ransomware}}, date = {2020-08-28}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US}, language = {English}, urldate = {2020-10-02} } MVISION Insights: Wastedlocker Ransomware
WastedLocker
2020-08-16Hatena Blog谷川哲司
@online{:20200816:wastedlocker:4210f22, author = {谷川哲司}, title = {{WastedLocker IoC collection}}, date = {2020-08-16}, organization = {Hatena Blog}, url = {https://ioc.hatenablog.com/entry/2020/08/16/132853}, language = {Japanese}, urldate = {2020-10-02} } WastedLocker IoC collection
WastedLocker
2020-08-04SophosLabs UncutMark Loman, Anand Ajjan
@online{loman:20200804:wastedlockers:753972a, author = {Mark Loman and Anand Ajjan}, title = {{WastedLocker’s techniques point to a familiar heritage}}, date = {2020-08-04}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/}, language = {English}, urldate = {2022-03-22} } WastedLocker’s techniques point to a familiar heritage
WastedLocker
2020-07-31Kaspersky LabsFedor Sinitsyn
@online{sinitsyn:20200731:wastedlocker:2eebe51, author = {Fedor Sinitsyn}, title = {{WastedLocker: technical analysis}}, date = {2020-07-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/wastedlocker-technical-analysis/97944/}, language = {English}, urldate = {2020-08-05} } WastedLocker: technical analysis
WastedLocker
2020-07-30Palo Alto Networks Unit 42Alex Hinchliffe, Doel Santos, Adrian McCabe, Robert Falcone
@online{hinchliffe:20200730:threat:e1b5ad9, author = {Alex Hinchliffe and Doel Santos and Adrian McCabe and Robert Falcone}, title = {{Threat Assessment: WastedLocker Ransomware}}, date = {2020-07-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wastedlocker/}, language = {English}, urldate = {2021-06-09} } Threat Assessment: WastedLocker Ransomware
WastedLocker
2020-07-28SecuronixOleg Kolesnikov
@techreport{kolesnikov:20200728:detecting:f743725, author = {Oleg Kolesnikov}, title = {{Detecting WastedLocker Ransomware Using Security Analytics}}, date = {2020-07-28}, institution = {Securonix}, url = {https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf}, language = {English}, urldate = {2020-11-04} } Detecting WastedLocker Ransomware Using Security Analytics
WastedLocker
2020-07-24BleepingComputerSergiu Gatlan
@online{gatlan:20200724:garmin:05d9247, author = {Sergiu Gatlan}, title = {{Garmin outage caused by confirmed WastedLocker ransomware attack}}, date = {2020-07-24}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/}, language = {English}, urldate = {2020-07-30} } Garmin outage caused by confirmed WastedLocker ransomware attack
WastedLocker
2020-07-23Sentinel LABSJim Walter
@online{walter:20200723:wastedlocker:aa88222, author = {Jim Walter}, title = {{WastedLocker Ransomware: Abusing ADS and NTFS File Attributes}}, date = {2020-07-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/}, language = {English}, urldate = {2020-07-24} } WastedLocker Ransomware: Abusing ADS and NTFS File Attributes
WastedLocker
2020-07-10MalwarebytesPieter Arntz
@online{arntz:20200710:threat:f64cac0, author = {Pieter Arntz}, title = {{Threat spotlight: WastedLocker, customized ransomware}}, date = {2020-07-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/}, language = {English}, urldate = {2020-07-15} } Threat spotlight: WastedLocker, customized ransomware
WastedLocker
2020-07-06Cisco TalosBen Baker, Edmund Brumaghin, JJ Cummings, Arnaud Zobec
@online{baker:20200706:wastedlocker:f33e129, author = {Ben Baker and Edmund Brumaghin and JJ Cummings and Arnaud Zobec}, title = {{WastedLocker Goes "Big-Game Hunting" in 2020}}, date = {2020-07-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html}, language = {English}, urldate = {2020-07-07} } WastedLocker Goes "Big-Game Hunting" in 2020
WastedLocker
2020-07AreteArete Incident Response
@techreport{response:202007:wastedlocker:f08d83b, author = {Arete Incident Response}, title = {{WastedLocker Ransomware Insights}}, date = {2020-07}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf}, language = {English}, urldate = {2020-07-30} } WastedLocker Ransomware Insights
WastedLocker
2020-06-26SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200626:wastedlocker:0e9c75c, author = {Critical Attack Discovery and Intelligence Team}, title = {{WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations}}, date = {2020-06-26}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us}, language = {English}, urldate = {2020-06-26} } WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations
donut_injector WastedLocker
2020-06-26BBCBBC News
@online{news:20200626:russian:a1216ac, author = {BBC News}, title = {{Russian hacker group Evil Corp targets US workers at home}}, date = {2020-06-26}, organization = {BBC}, url = {https://www.bbc.com/news/world-us-canada-53195749}, language = {English}, urldate = {2020-11-02} } Russian hacker group Evil Corp targets US workers at home
WastedLocker Evil Corp
2020-06-23NCC GroupNikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020-05-31Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20200531:wastedloader:c37b988, author = {Jason Reaves and Joshua Platt}, title = {{WastedLoader or DridexLoader?}}, date = {2020-05-31}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77}, language = {English}, urldate = {2021-06-09} } WastedLoader or DridexLoader?
Dridex WastedLocker
2020Palo Alto Networks Unit 42Unit42
@online{unit42:2020:wastedlockerransomware:7c809d3, author = {Unit42}, title = {{Wastedlocker-ransomware}}, date = {2020}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/}, language = {English}, urldate = {2020-10-02} } Wastedlocker-ransomware
WastedLocker
Yara Rules
[TLP:WHITE] win_wastedlocker_auto (20220808 | Detects win.wastedlocker.)
rule win_wastedlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.wastedlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 ff35???????? ff15???????? 3975f0 7411 ff75f0 }
            // n = 6, score = 1000
            //   56                   | push                esi
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   3975f0               | cmp                 dword ptr [ebp - 0x10], esi
            //   7411                 | je                  0x13
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_1 = { 8910 83c004 49 75f5 8d45f0 50 8d45ac }
            // n = 7, score = 1000
            //   8910                 | mov                 dword ptr [eax], edx
            //   83c004               | add                 eax, 4
            //   49                   | dec                 ecx
            //   75f5                 | jne                 0xfffffff7
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d45ac               | lea                 eax, [ebp - 0x54]

        $sequence_2 = { 89410c 5b c9 c20400 85d2 762c 56 }
            // n = 7, score = 1000
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   85d2                 | test                edx, edx
            //   762c                 | jbe                 0x2e
            //   56                   | push                esi

        $sequence_3 = { 6800020000 8bf0 8d8500feffff 6a00 50 e8???????? 83c40c }
            // n = 7, score = 1000
            //   6800020000           | push                0x200
            //   8bf0                 | mov                 esi, eax
            //   8d8500feffff         | lea                 eax, [ebp - 0x200]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_4 = { 6a28 57 56 e8???????? 83c40c 8d5e1c }
            // n = 6, score = 1000
            //   6a28                 | push                0x28
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d5e1c               | lea                 ebx, [esi + 0x1c]

        $sequence_5 = { 33ff 57 57 ffd6 8bd8 85db 7455 }
            // n = 7, score = 1000
            //   33ff                 | xor                 edi, edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7455                 | je                  0x57

        $sequence_6 = { 23de 0beb 896810 8b5a14 8beb c1cd08 23ef }
            // n = 7, score = 1000
            //   23de                 | and                 ebx, esi
            //   0beb                 | or                  ebp, ebx
            //   896810               | mov                 dword ptr [eax + 0x10], ebp
            //   8b5a14               | mov                 ebx, dword ptr [edx + 0x14]
            //   8beb                 | mov                 ebp, ebx
            //   c1cd08               | ror                 ebp, 8
            //   23ef                 | and                 ebp, edi

        $sequence_7 = { ff35???????? 81c704010000 ff15???????? 8d043f 50 6a00 ff35???????? }
            // n = 7, score = 1000
            //   ff35????????         |                     
            //   81c704010000         | add                 edi, 0x104
            //   ff15????????         |                     
            //   8d043f               | lea                 eax, [edi + edi]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff35????????         |                     

        $sequence_8 = { 03d7 39542410 7210 81c3ffff0000 83c628 6685db }
            // n = 6, score = 1000
            //   03d7                 | add                 edx, edi
            //   39542410             | cmp                 dword ptr [esp + 0x10], edx
            //   7210                 | jb                  0x12
            //   81c3ffff0000         | add                 ebx, 0xffff
            //   83c628               | add                 esi, 0x28
            //   6685db               | test                bx, bx

        $sequence_9 = { 83c628 6685c9 75ea 6a0b 58 }
            // n = 5, score = 1000
            //   83c628               | add                 esi, 0x28
            //   6685c9               | test                cx, cx
            //   75ea                 | jne                 0xffffffec
            //   6a0b                 | push                0xb
            //   58                   | pop                 eax

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules