What is WastedLocker ransomware and how to protect against it

Like most ransomware, WastedLocker attacks computers running Windows. However, WastedLocker is a big game hunter

It attacks large corporations and asks for huge ransoms. While many ransomware attacks ask for a few hundred dollars, WastedLocker demands millions of dollars.

The hacker group behind WastedLocker is very well organized. Since the early years of this century, the team has been in operation and has earned more than $100 million.

Who is behind WastedLocker ransomware?

WastedLocker is a product of Evil Corp, which is also known as Indrik Spider. This is a Russian hacker group that had its first success with Zeus, a banking Trojan. The most famous product of this group was Dridex, a banking Trojan that earned a lot of money. Dridex was active from 2011 to 2020, and it was developed as an enhancement of Zeus.

The Evil Corp group is lead by Maksim Yakubets and Igor Turashev. In December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued an arrest warrant for the pair. In addition, it offered a reward of $5 million for information leading to their arrest. But, unfortunately, they still haven’t been arrested.

The main reason for the US authorities’ interest in Evil Corp is Dridex, not the WastedLocker ransomware. However, the serious attention of the US security agencies forced Evil Corp to reassess all of its activities, and the group went quiet, temporarily, through to early 2020.

The source of WastedLocker ransomware

Evil Corp first developed ransomware in 2017 with the Bitpaymer crypter. This was a “big game hunter,” which means that it aimed at large corporations and asked for large ransoms. Bitpaymer was the forerunner of WastedLocker ransomware.

Bitpaymer was launched in 2017, targeting hospitals in the UK. Attacks then moved on to focus on large US corporations. The ransomware’s delivery mechanism was based on Dridex modules.

In 2019, Evil Corp created a variant of Bitpaymer, called DoppelPaymer, a Ransomware-as-a-Service system. RaaS allows other hackers to use a ransomware system for a fee without letting them access the code.

In May 2020, the group launched WastedLocker as a replacement for Bitpaymer. The new ransomware shares some procedural similarities to Bitpaymer, but it has completely different code.

WastedLocker attacks are highly tailored. Not only does the group conduct extensive research to gain entry to a network, but it produces different modules for each attack and a targeted ransom note. The group is also able to adjust an attack as it happens. In some cases, network managers have been able to spot and remove the WastedLocker dropper, causing the group to drop a stealthier replacement manually.

The start of a WastedLocker attack

The majority of the targets for the WastedLocker ransomware have been large US corporations. The victim sees a popup when visiting specific sites that advise them to update their browser. The popup, when pressed, downloads a zip file, which contains a JavaScript module called SocGolish.

The websites that popups appear on are not properties of Evil Corp. Rather, they are owned and run by legitimate organizations, and the Evil Corp group has managed to infect them. News websites are regularly targeted for this infection.

The module installs and executes PowerShell scripts and the Cobalt Strike backdoor. This gives the hackers entry, and they will use both manual and automated methods to proceed with the attack.

What happens in a WastedLocker ransomware attack?

The hacker’s starting point is an endpoint on the system that got the Cobalt Strike backdoor installed. Using experience and a toolkit of system scanning services, the hacker then builds up a profile of user accounts on the endpoint and connections through to other endpoints across the network. The hacker will also investigate backup processes and drop files to get them uploaded to the backup server to trigger a ransomware infection.

At this point, activity is more along the lines of an advanced persistent threat than a ransomware attack. Tools include systems to capture credentials and access a user’s account on the accessed device through a remote access system that enables the hacker to acquire the user’s identity and communicate with others in the organization.

The reconnaissance phase of the attack allows the hacker to move across the network to locate major file stores and database servers, which will become infection targets. Once the team leader is satisfied that enough high-value targets have been acquired, the WastedLocker ransomware is activated.

WastedLocker encryption

The ransomware performs several tasks before it launches encryption. It deletes all shadow copies of working documents that are generated by autosave functions. It will also disable Windows Defender, elevate its account access to Administrator, and install the encryption process as a service.

The system generates a different encryption key for each file. This is an AES cipher with a 256-bit key. Those keys are then listed in a file, which is encrypted with a 4096-bit RSA cipher. This is the public key, which encrypted the files. RSA uses a different key to decrypt. This cannot be derived from the encryption key. Therefore, knowing the public key is no use to the victim. However, it can be used as a reference code for the decryption process. The RSA key pairs seem to be generated offsite, and the public key is sent to the target system while the private key is held on the Evil Corp server for delivery after payment.

The WastedLocker does not encrypt system files or executables, so the computer is still operational. However, it will encrypt working files, such as documents, spreadsheets, images, video, and audio files. It also encrypts database storage files. Rather than just working through a computer alphabetically or starting with the first contacted computer, WastedLocker identifies the most critical data store and begins with what seems to be its highest value directory.

Each file is overwritten with its encrypted version. The filename then gets an extra extension added to it. This is the name of the target company and wasted, for example, a file called expenses.docx on a computer in a company called NewWorks, Inc. will end up with the name expenses.docx.newworkswasted. The encryption process also generates a ransom note for each encrypted file. The note’s text is the same in every case, so you only have to open one of them. This is a text file and has the same name as the encrypted file but with _info. So, in the case of the example, the associated ransom note would be expenses.docx.newworkswasted_info.

The ransom note has the following format:

<victim name>


USE <actor email 1> | <actor email 2> TO GET THE PRICE FOR YOUR DATA




[begin_key]<base64 encoded public key>[end_key]


The email addresses used for contact are used only for one attack. They are always on the following domains:


Once the attack has encrypted all of the target files on the victim’s system that can be reached, the ransomware process ends. It doesn’t continue with other attack strategies, such as deleting files or infecting the boot process. Any new files created after the attack will not be encrypted.

Recovering from a WastedLocker attack

There is no way to decrypt files that have been encrypted during a WastedLocker ransomware attack without paying the ransom. The AES encryption that converts the files is uncrackable, and so is the RSA encryption that protects the list of AES keys. There are no cybersecurity consultancies that offer a decryption service.

The best way to recover from an attack without paying is to ensure that you have backups of all critical files and that your backup process and stores are all very well protected. As the Evil Corp group uses manual exploration and will move around the system for as long as it takes to get all the essential data stores, those backup locations usually also get encrypted.

WastedLocker ransom demands range between $500,000 and $10 million. The most famous attack to date was against US technology firm Garner in October 2020. The company was asked for $10 million. No one knows whether the company paid that total amount. However, they did pay because they got the decryption key. So iSo it seems that the Evil Corp group is prepared to negotiate.

Defending against WastedLocker ransomware

The good news is that WastedLocker is no longer active. However, its successor, called Hades, is in circulation. This is very close to WastedLocker but has some extra obfuscation features to be regarded as WastedLocker II.

The best defense lies in intelligent cybersecurity, susceptible, and sensitive data, which has additional regulations surrounding its use and protection. Here are three cybersecurity packages that provide competent defense against WastedLocker ransomware.

1. CrowdStrike Falcon Insight (FREE TRIAL)

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is an endpoint detection and response (EDR) package. It includes a coordinating module to create enterprise-wide protection. The endpoint agent installs on Windows, macOS, and Linux and the overseer is a cloud-based service.

The combination of device protection and system monitoring is an excellent defense against ransomware systems such as WastedLocker and Hades. The on-site modules use anomaly detection, enabling it to spot brand new malware or seemingly genuine activities performed by legitimate user accounts. The EDR will isolate devices if it spots suspicious activity. It can also delete malware files and kill processes. The endpoint protection system is fully autonomous, and it can be bought separately. It is marketed as CrowdStrike Falcon Prevent.

The cloud-based module is a threat hunter that relies on uploads of activity logs from the endpoint agents. This gets threat intelligence feeds from CrowdStrike that update its data search strategies. The coordinator will inform all endpoints of detected threats, whether identified in the data or notified by an endpoint.

You can get a 15-day free trial of Falcon Prevent.

Falcon Prevent Start 15-day FREE Trial

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is a sensitive data protector designed for businesses that need to comply with HIPAA, PCI DSS, and other data privacy standards.

The system includes an eDiscovery module that identifies sensitive data stores and categorizes the types of data held there. This enables you to increase security measures for those locations. In addition, the defense system of DataSecurity Plus is implemented as a file integrity monitor (FIM). This will spot encryption actions immediately and block them.

The system examines the processes that try to access sensitive data stores and measures their intent. Then, the package will block any malicious activity by killing processes and suspending compromised user accounts.

DataSecurity Plus is an on-premises software package that installs on Windows Server. It is available for a 30-day free trial.

3. BitDefender GravityZone

Bitdefender GravityZone

BitDefender GravityZone is a bundle of cyber defense systems that work very well in combination to protect against WastedLocker and Hades. The most important defense is its managed backup service.

GravityZone implements malware scanning at several points of the system. It scans endpoints and all files downloaded onto them. The system also guards access to the backup store, scanning every file before letting it on. That even includes manually commanded transfers.

The GravityZone package has a vulnerability scanner and a patch manager to reduce your attack surface. There is also a file integrity monitor in there as a last resort. GravityZone implements automated responses. It can isolate a device as soon as it spots suspicious activity. That will limit the potential damage that WastedLocker and Hades could cause.

BitDefender GravityZone is a software package that runs as a virtual appliance. It is available for a one-month free trial.