Connect with us

Hi, what are you looking for?



Dridex Operators Develop ‘WastedLocker’ Ransomware

The threat actor behind the Dridex Trojan has released a new ransomware following months of development, Fox-IT researchers (part of NCC Group) reveal.

The threat actor behind the Dridex Trojan has released a new ransomware following months of development, Fox-IT researchers (part of NCC Group) reveal.

Referred to as Evil Corp, the threat actor is mainly known for attacks involving the Dridex banking Trojan and the Locky ransomware, but has used other malware as well, including ransomware families such as Bart, Jaff, and BitPaymer.

Dubbed WastedLocker, the new piece of ransomware has been in use since May 2020 and shows a few similarities with BitPaymer, such as the use of an abbreviation of the victim’s name when creating filenames, or the presence of the victim name in the ransom note.

The group appears to be carefully selecting victims before deploying the ransomware, and to prefer hitting file servers, database services, virtual machines, and cloud environments. They do not engage in information stealing, most likely as they want to avoid drawing attention.

For distribution, the hackers use the SocGholish fake update framework, which directly delivers a custom Cobalt Strike loader to targeted systems.

On the infected host, WastedLocker first performs a series of operations to ensure it runs properly, and only then it proceeds to encrypting files. If not executed with administrative rights, the ransomware attempts to elevate privileges.

WastedLocker was observed using a known User Account Control (UAC) bypass method that involves the mocking of trusted directories and the use of an alternate data stream (ADS) to load itself into seemingly legitimate processes.

Advertisement. Scroll to continue reading.

The ransomware can delete shadow copies to prevent data recovery, and can encrypt files in specific directories only, or all files on a drive. The malware targets removable, fixed, shared, and remote drives for encryption.

“Instead of including a list of extension targets, WastedLocker includes a list of directories and extensions to exclude from the encryption process. Files with a size less than 10 bytes are also ignored and in case of a large file, the ransomware encrypts them in blocks of 64MB,” the researchers explain.

The AES algorithm with a newly generated AES key and IV (256-bit in CBC mode) is used for the encryption of each file. The AES key and IV are encrypted with an embedded public RSA key (4096 bits) and the output is converted to base64 and then stored in the ransom note. An additional file containing the ransom note is created for each encrypted file.

Once the encryption process has been completed, the ransomware updates a log file with information on the number of targeted files, number of encrypted files, and number of files not encrypted due to access rights issues. A decrypter for WastedLocker was observed requiring admin privileges and reporting on the number of successfully decrypted files.

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...