Security Experts:

Connect with us

Hi, what are you looking for?



Dridex Operators Develop ‘WastedLocker’ Ransomware

The threat actor behind the Dridex Trojan has released a new ransomware following months of development, Fox-IT researchers (part of NCC Group) reveal.

The threat actor behind the Dridex Trojan has released a new ransomware following months of development, Fox-IT researchers (part of NCC Group) reveal.

Referred to as Evil Corp, the threat actor is mainly known for attacks involving the Dridex banking Trojan and the Locky ransomware, but has used other malware as well, including ransomware families such as Bart, Jaff, and BitPaymer.

Dubbed WastedLocker, the new piece of ransomware has been in use since May 2020 and shows a few similarities with BitPaymer, such as the use of an abbreviation of the victim’s name when creating filenames, or the presence of the victim name in the ransom note.

The group appears to be carefully selecting victims before deploying the ransomware, and to prefer hitting file servers, database services, virtual machines, and cloud environments. They do not engage in information stealing, most likely as they want to avoid drawing attention.

For distribution, the hackers use the SocGholish fake update framework, which directly delivers a custom Cobalt Strike loader to targeted systems.

On the infected host, WastedLocker first performs a series of operations to ensure it runs properly, and only then it proceeds to encrypting files. If not executed with administrative rights, the ransomware attempts to elevate privileges.

WastedLocker was observed using a known User Account Control (UAC) bypass method that involves the mocking of trusted directories and the use of an alternate data stream (ADS) to load itself into seemingly legitimate processes.

The ransomware can delete shadow copies to prevent data recovery, and can encrypt files in specific directories only, or all files on a drive. The malware targets removable, fixed, shared, and remote drives for encryption.

“Instead of including a list of extension targets, WastedLocker includes a list of directories and extensions to exclude from the encryption process. Files with a size less than 10 bytes are also ignored and in case of a large file, the ransomware encrypts them in blocks of 64MB,” the researchers explain.

The AES algorithm with a newly generated AES key and IV (256-bit in CBC mode) is used for the encryption of each file. The AES key and IV are encrypted with an embedded public RSA key (4096 bits) and the output is converted to base64 and then stored in the ransom note. An additional file containing the ransom note is created for each encrypted file.

Once the encryption process has been completed, the ransomware updates a log file with information on the number of targeted files, number of encrypted files, and number of files not encrypted due to access rights issues. A decrypter for WastedLocker was observed requiring admin privileges and reporting on the number of successfully decrypted files.

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack