WastedLocker (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.wastedlocker (Back to overview)

WastedLocker

WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.

References

2022-07-31 ⋅ BushidoToken Blog ⋅ BushidoToken
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker

2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-02-23 ⋅ Sentinel LABS ⋅ Antonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp
Dridex WastedLocker

2022-02 ⋅ Sentinel LABS ⋅ Antonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker

2022-01-25 ⋅ Seguranca Informatica ⋅ Pedro Tavares
WastedLocker malware analysis
WastedLocker

2022-01-24 ⋅ CyCraft ⋅ CyCraft AI
The Road to Ransomware Resilience, Part 2: Behavior Analysis
Conti Prometheus WastedLocker

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker

2021-06-06 ⋅ Bleeping Computer ⋅ Lawrence Abrams
New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx PayloadBIN WastedLocker

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-20 ⋅ Github (microsoft) ⋅ Microsoft
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy

2021-05-18 ⋅ Bitdefender ⋅ Mihai Neagu, Bogdan Botezatu, George Mihali, Aron Radu, Ștefan Trifescu
New WastedLoader Campaign Delivered Through RIG Exploit Kit
WastedLoader WastedLocker

2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker

2021-03-25 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Evil Corp switches to Hades ransomware to evade sanctions
Hades WastedLocker

2021-03-25 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Insurance giant CNA hit by new Phoenix CryptoLocker ransomware
WastedLocker

2021-03-24 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends from Winter 2020-21
Egregor REvil WastedLocker

2021-03-17 ⋅ CrowdStrike ⋅ Adam Podlosky, Brendon Feeley
INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions
FriedEx WastedLocker

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021 ⋅ SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp

2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER

2020-08-31 ⋅ Symantec ⋅ Threat Hunter Team
Sophisticated Groups and Cyber Criminals Set Sights on Lucrative Financial Sector
WastedLocker

2020-08-28 ⋅ McAfee ⋅ McAfee
MVISION Insights: Wastedlocker Ransomware
WastedLocker

2020-08-16 ⋅ Hatena Blog ⋅ 谷川哲司
WastedLocker IoC collection
WastedLocker

2020-08-04 ⋅ SophosLabs Uncut ⋅ Mark Loman, Anand Ajjan
WastedLocker’s techniques point to a familiar heritage
WastedLocker

2020-07-31 ⋅ Kaspersky Labs ⋅ Fedor Sinitsyn
WastedLocker: technical analysis
WastedLocker

2020-07-30 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe, Doel Santos, Adrian McCabe, Robert Falcone
Threat Assessment: WastedLocker Ransomware
WastedLocker

2020-07-28 ⋅ Securonix ⋅ Oleg Kolesnikov
Detecting WastedLocker Ransomware Using Security Analytics
WastedLocker

2020-07-24 ⋅ BleepingComputer ⋅ Sergiu Gatlan
Garmin outage caused by confirmed WastedLocker ransomware attack
WastedLocker

2020-07-23 ⋅ Sentinel LABS ⋅ Jim Walter
WastedLocker Ransomware: Abusing ADS and NTFS File Attributes
WastedLocker

2020-07-10 ⋅ Malwarebytes ⋅ Pieter Arntz
Threat spotlight: WastedLocker, customized ransomware
WastedLocker

2020-07-06 ⋅ Cisco Talos ⋅ Ben Baker, Edmund Brumaghin, JJ Cummings, Arnaud Zobec
WastedLocker Goes "Big-Game Hunting" in 2020
WastedLocker

2020-07 ⋅ Arete ⋅ Arete Incident Response
WastedLocker Ransomware Insights
WastedLocker

2020-06-26 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations
donut_injector WastedLocker

2020-06-26 ⋅ BBC ⋅ BBC News
Russian hacker group Evil Corp targets US workers at home
WastedLocker Evil Corp

2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker

2020-05-31 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
WastedLoader or DridexLoader?
Dridex WastedLocker

2020 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Wastedlocker-ransomware
WastedLocker

Yara Rules

[TLP:WHITE] win_wastedlocker_auto (20230407 | Detects win.wastedlocker.)

rule win_wastedlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.wastedlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ab 8d7de4 ab ab ab ab 8b4508 }
            // n = 7, score = 1000
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   8d7de4               | lea                 edi, [ebp - 0x1c]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_1 = { 6810041000 b812345605 ffd0 3bc3 }
            // n = 4, score = 1000
            //   6810041000           | push                0x100410
            //   b812345605           | mov                 eax, 0x5563412
            //   ffd0                 | call                eax
            //   3bc3                 | cmp                 eax, ebx

        $sequence_2 = { 56 ff15???????? 8945f8 8b4738 85c0 740a ff7740 }
            // n = 7, score = 1000
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4738               | mov                 eax, dword ptr [edi + 0x38]
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   ff7740               | push                dword ptr [edi + 0x40]

        $sequence_3 = { 8b4d0c 6a04 5a d3e2 }
            // n = 4, score = 1000
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   6a04                 | push                4
            //   5a                   | pop                 edx
            //   d3e2                 | shl                 edx, cl

        $sequence_4 = { 0fb7c6 bf00000100 2bf8 397d10 7303 8b7d10 8a06 }
            // n = 7, score = 1000
            //   0fb7c6               | movzx               eax, si
            //   bf00000100           | mov                 edi, 0x10000
            //   2bf8                 | sub                 edi, eax
            //   397d10               | cmp                 dword ptr [ebp + 0x10], edi
            //   7303                 | jae                 5
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   8a06                 | mov                 al, byte ptr [esi]

        $sequence_5 = { 83f802 7241 8b07 3d66006900 }
            // n = 4, score = 1000
            //   83f802               | cmp                 eax, 2
            //   7241                 | jb                  0x43
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   3d66006900           | cmp                 eax, 0x690066

        $sequence_6 = { 8b450c 53 ff7514 8d440601 ff7510 50 }
            // n = 6, score = 1000
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8d440601             | lea                 eax, [esi + eax + 1]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   50                   | push                eax

        $sequence_7 = { 50 53 e8???????? 6a00 8d45fc 50 }
            // n = 6, score = 1000
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_8 = { 83ec0c 57 8bf8 8b4f3c 03cf }
            // n = 5, score = 1000
            //   83ec0c               | sub                 esp, 0xc
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax
            //   8b4f3c               | mov                 ecx, dword ptr [edi + 0x3c]
            //   03cf                 | add                 ecx, edi

        $sequence_9 = { ff7624 ff7604 ff15???????? 85c0 740a 897e20 }
            // n = 6, score = 1000
            //   ff7624               | push                dword ptr [esi + 0x24]
            //   ff7604               | push                dword ptr [esi + 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   897e20               | mov                 dword ptr [esi + 0x20], edi

    condition:
        7 of them and filesize < 147456
}

Download all Yara Rules

WastedLocker Propose Change

References

Yara Rules

WastedLocker