The threat actor behind the Dridex Trojan has released a new ransomware following months of development, Fox-IT researchers (part of NCC Group) reveal.
Referred to as Evil Corp, the threat actor is mainly known for attacks involving the Dridex banking Trojan and the Locky ransomware, but has used other malware as well, including ransomware families such as Bart, Jaff, and BitPaymer.
Dubbed WastedLocker, the new piece of ransomware has been in use since May 2020 and shows a few similarities with BitPaymer, such as the use of an abbreviation of the victim’s name when creating filenames, or the presence of the victim name in the ransom note.
The group appears to be carefully selecting victims before deploying the ransomware, and to prefer hitting file servers, database services, virtual machines, and cloud environments. They do not engage in information stealing, most likely as they want to avoid drawing attention.
For distribution, the hackers use the SocGholish fake update framework, which directly delivers a custom Cobalt Strike loader to targeted systems.
On the infected host, WastedLocker first performs a series of operations to ensure it runs properly, and only then it proceeds to encrypting files. If not executed with administrative rights, the ransomware attempts to elevate privileges.
WastedLocker was observed using a known User Account Control (UAC) bypass method that involves the mocking of trusted directories and the use of an alternate data stream (ADS) to load itself into seemingly legitimate processes.
The ransomware can delete shadow copies to prevent data recovery, and can encrypt files in specific directories only, or all files on a drive. The malware targets removable, fixed, shared, and remote drives for encryption.
“Instead of including a list of extension targets, WastedLocker includes a list of directories and extensions to exclude from the encryption process. Files with a size less than 10 bytes are also ignored and in case of a large file, the ransomware encrypts them in blocks of 64MB,” the researchers explain.
The AES algorithm with a newly generated AES key and IV (256-bit in CBC mode) is used for the encryption of each file. The AES key and IV are encrypted with an embedded public RSA key (4096 bits) and the output is converted to base64 and then stored in the ransom note. An additional file containing the ransom note is created for each encrypted file.
Once the encryption process has been completed, the ransomware updates a log file with information on the number of targeted files, number of encrypted files, and number of files not encrypted due to access rights issues. A decrypter for WastedLocker was observed requiring admin privileges and reporting on the number of successfully decrypted files.