SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wastedlocker (Back to overview)

WastedLocker


WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.

References
2021-03-25Bleeping ComputerLawrence Abrams
@online{abrams:20210325:insurance:5e12adf, author = {Lawrence Abrams}, title = {{Insurance giant CNA hit by new Phoenix CryptoLocker ransomware}}, date = {2021-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/}, language = {English}, urldate = {2021-03-30} } Insurance giant CNA hit by new Phoenix CryptoLocker ransomware
WastedLocker
2021-03-25Bleeping ComputerSergiu Gatlan
@online{gatlan:20210325:evil:5b966ff, author = {Sergiu Gatlan}, title = {{Evil Corp switches to Hades ransomware to evade sanctions}}, date = {2021-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/}, language = {English}, urldate = {2021-03-30} } Evil Corp switches to Hades ransomware to evade sanctions
Hades Ransomware WastedLocker
2021-03-24CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20210324:quarterly:4707c30, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Winter 2020-21}}, date = {2021-03-24}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html}, language = {English}, urldate = {2021-03-25} } Quarterly Report: Incident Response trends from Winter 2020-21
Egregor REvil WastedLocker
2021-03-17CrowdStrikeAdam Podlosky, Brendon Feeley
@online{podlosky:20210317:indrik:65d1f3f, author = {Adam Podlosky and Brendon Feeley}, title = {{INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions}}, date = {2021-03-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/}, language = {English}, urldate = {2021-03-19} } INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions
FriedEx WastedLocker
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos Ransomware RansomEXX REvil Ryuk WastedLocker Zeppelin Ransomware
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-08-31SymantecThreat Hunter Team
@techreport{team:20200831:sophisticated:7cf4dfe, author = {Threat Hunter Team}, title = {{Sophisticated Groups and Cyber Criminals Set Sights on Lucrative Financial Sector}}, date = {2020-08-31}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf}, language = {English}, urldate = {2020-09-23} } Sophisticated Groups and Cyber Criminals Set Sights on Lucrative Financial Sector
WastedLocker
2020-08-28McAfeeMcAfee
@online{mcafee:20200828:mvision:0bd3a1e, author = {McAfee}, title = {{MVISION Insights: Wastedlocker Ransomware}}, date = {2020-08-28}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US}, language = {English}, urldate = {2020-10-02} } MVISION Insights: Wastedlocker Ransomware
WastedLocker
2020-08-16Hatena Blog谷川哲司
@online{:20200816:wastedlocker:4210f22, author = {谷川哲司}, title = {{WastedLocker IoC collection}}, date = {2020-08-16}, organization = {Hatena Blog}, url = {https://ioc.hatenablog.com/entry/2020/08/16/132853}, language = {Japanese}, urldate = {2020-10-02} } WastedLocker IoC collection
WastedLocker
2020-07-31Kaspersky LabsFedor Sinitsyn
@online{sinitsyn:20200731:wastedlocker:2eebe51, author = {Fedor Sinitsyn}, title = {{WastedLocker: technical analysis}}, date = {2020-07-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/wastedlocker-technical-analysis/97944/}, language = {English}, urldate = {2020-08-05} } WastedLocker: technical analysis
WastedLocker
2020-07-28SecuronixOleg Kolesnikov
@techreport{kolesnikov:20200728:detecting:f743725, author = {Oleg Kolesnikov}, title = {{Detecting WastedLocker Ransomware Using Security Analytics}}, date = {2020-07-28}, institution = {Securonix}, url = {https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf}, language = {English}, urldate = {2020-11-04} } Detecting WastedLocker Ransomware Using Security Analytics
WastedLocker
2020-07-24BleepingComputerSergiu Gatlan
@online{gatlan:20200724:garmin:05d9247, author = {Sergiu Gatlan}, title = {{Garmin outage caused by confirmed WastedLocker ransomware attack}}, date = {2020-07-24}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/}, language = {English}, urldate = {2020-07-30} } Garmin outage caused by confirmed WastedLocker ransomware attack
WastedLocker
2020-07-23Sentinel LABSJim Walter
@online{walter:20200723:wastedlocker:aa88222, author = {Jim Walter}, title = {{WastedLocker Ransomware: Abusing ADS and NTFS File Attributes}}, date = {2020-07-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/}, language = {English}, urldate = {2020-07-24} } WastedLocker Ransomware: Abusing ADS and NTFS File Attributes
WastedLocker
2020-07-10MalwarebytesPieter Arntz
@online{arntz:20200710:threat:f64cac0, author = {Pieter Arntz}, title = {{Threat spotlight: WastedLocker, customized ransomware}}, date = {2020-07-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/}, language = {English}, urldate = {2020-07-15} } Threat spotlight: WastedLocker, customized ransomware
WastedLocker
2020-07-06Cisco TalosBen Baker, Edmund Brumaghin, JJ Cummings, Arnaud Zobec
@online{baker:20200706:wastedlocker:f33e129, author = {Ben Baker and Edmund Brumaghin and JJ Cummings and Arnaud Zobec}, title = {{WastedLocker Goes "Big-Game Hunting" in 2020}}, date = {2020-07-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html}, language = {English}, urldate = {2020-07-07} } WastedLocker Goes "Big-Game Hunting" in 2020
WastedLocker
2020-07AreteArete Incident Response
@techreport{response:202007:wastedlocker:f08d83b, author = {Arete Incident Response}, title = {{WastedLocker Ransomware Insights}}, date = {2020-07}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf}, language = {English}, urldate = {2020-07-30} } WastedLocker Ransomware Insights
WastedLocker
2020-06-26BBCBBC News
@online{news:20200626:russian:a1216ac, author = {BBC News}, title = {{Russian hacker group Evil Corp targets US workers at home}}, date = {2020-06-26}, organization = {BBC}, url = {https://www.bbc.com/news/world-us-canada-53195749}, language = {English}, urldate = {2020-11-02} } Russian hacker group Evil Corp targets US workers at home
WastedLocker Evil Corp
2020-06-26SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200626:wastedlocker:0e9c75c, author = {Critical Attack Discovery and Intelligence Team}, title = {{WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations}}, date = {2020-06-26}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us}, language = {English}, urldate = {2020-06-26} } WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations
donut_injector WastedLocker
2020-06-23NCC GroupNikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020Palo Alto Networks Unit 42Unit42
@online{unit42:2020:wastedlockerransomware:7c809d3, author = {Unit42}, title = {{Wastedlocker-ransomware}}, date = {2020}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/}, language = {English}, urldate = {2020-10-02} } Wastedlocker-ransomware
WastedLocker
Yara Rules
[TLP:WHITE] win_wastedlocker_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_wastedlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 ff750c 8bf0 8d85e8f7ffff }
            // n = 4, score = 800
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8bf0                 | mov                 esi, eax
            //   8d85e8f7ffff         | lea                 eax, [ebp - 0x818]

        $sequence_1 = { 6683fe3f 740b 8b4dfc 8b55f8 017dfc eb04 03d7 }
            // n = 7, score = 800
            //   6683fe3f             | cmp                 si, 0x3f
            //   740b                 | je                  0xd
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   017dfc               | add                 dword ptr [ebp - 4], edi
            //   eb04                 | jmp                 6
            //   03d7                 | add                 edx, edi

        $sequence_2 = { 56 57 8bf8 8d85ccfeffff 8bf1 }
            // n = 5, score = 800
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax
            //   8d85ccfeffff         | lea                 eax, [ebp - 0x134]
            //   8bf1                 | mov                 esi, ecx

        $sequence_3 = { 6a00 50 e8???????? 85c0 75ef eb11 }
            // n = 6, score = 800
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75ef                 | jne                 0xfffffff1
            //   eb11                 | jmp                 0x13

        $sequence_4 = { 2907 833f00 7512 56 8bcb 8d95e8fdffff e8???????? }
            // n = 7, score = 800
            //   2907                 | sub                 dword ptr [edi], eax
            //   833f00               | cmp                 dword ptr [edi], 0
            //   7512                 | jne                 0x14
            //   56                   | push                esi
            //   8bcb                 | mov                 ecx, ebx
            //   8d95e8fdffff         | lea                 edx, [ebp - 0x218]
            //   e8????????           |                     

        $sequence_5 = { ff15???????? 8bf0 83feff 7428 ff742418 ff742418 ff742418 }
            // n = 7, score = 800
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7428                 | je                  0x2a
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   ff742418             | push                dword ptr [esp + 0x18]

        $sequence_6 = { 0f95c3 57 8945fc 43 6aff 6a00 8d45f8 }
            // n = 7, score = 800
            //   0f95c3               | setne               bl
            //   57                   | push                edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   43                   | inc                 ebx
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_7 = { 897dec 897df0 ff15???????? 50 ff15???????? ff75f8 8bf0 }
            // n = 7, score = 800
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 8bf8 ff15???????? eb0d 6a08 5f }
            // n = 5, score = 800
            //   8bf8                 | mov                 edi, eax
            //   ff15????????         |                     
            //   eb0d                 | jmp                 0xf
            //   6a08                 | push                8
            //   5f                   | pop                 edi

        $sequence_9 = { ff7508 ff15???????? eb09 ff15???????? 8945fc }
            // n = 5, score = 800
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   eb09                 | jmp                 0xb
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules