Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Dridex Operators Develop ‘WastedLocker’ Ransomware

The threat actor behind the Dridex Trojan has released a new ransomware following months of development, Fox-IT researchers (part of NCC Group) reveal.

The threat actor behind the Dridex Trojan has released a new ransomware following months of development, Fox-IT researchers (part of NCC Group) reveal.

Referred to as Evil Corp, the threat actor is mainly known for attacks involving the Dridex banking Trojan and the Locky ransomware, but has used other malware as well, including ransomware families such as Bart, Jaff, and BitPaymer.

Dubbed WastedLocker, the new piece of ransomware has been in use since May 2020 and shows a few similarities with BitPaymer, such as the use of an abbreviation of the victim’s name when creating filenames, or the presence of the victim name in the ransom note.

The group appears to be carefully selecting victims before deploying the ransomware, and to prefer hitting file servers, database services, virtual machines, and cloud environments. They do not engage in information stealing, most likely as they want to avoid drawing attention.

For distribution, the hackers use the SocGholish fake update framework, which directly delivers a custom Cobalt Strike loader to targeted systems.

On the infected host, WastedLocker first performs a series of operations to ensure it runs properly, and only then it proceeds to encrypting files. If not executed with administrative rights, the ransomware attempts to elevate privileges.

WastedLocker was observed using a known User Account Control (UAC) bypass method that involves the mocking of trusted directories and the use of an alternate data stream (ADS) to load itself into seemingly legitimate processes.

The ransomware can delete shadow copies to prevent data recovery, and can encrypt files in specific directories only, or all files on a drive. The malware targets removable, fixed, shared, and remote drives for encryption.

Advertisement. Scroll to continue reading.

“Instead of including a list of extension targets, WastedLocker includes a list of directories and extensions to exclude from the encryption process. Files with a size less than 10 bytes are also ignored and in case of a large file, the ransomware encrypts them in blocks of 64MB,” the researchers explain.

The AES algorithm with a newly generated AES key and IV (256-bit in CBC mode) is used for the encryption of each file. The AES key and IV are encrypted with an embedded public RSA key (4096 bits) and the output is converted to base64 and then stored in the ransom note. An additional file containing the ransom note is created for each encrypted file.

Once the encryption process has been completed, the ransomware updates a log file with information on the number of targeted files, number of encrypted files, and number of files not encrypted due to access rights issues. A decrypter for WastedLocker was observed requiring admin privileges and reporting on the number of successfully decrypted files.

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.