Connect with us

Hi, what are you looking for?



Tens of U.S. Businesses Targeted With WastedLocker Ransomware

At least 31 organizations in the United States have been targeted with the recently detailed WastedLocker ransomware, Symantec reports.

At least 31 organizations in the United States have been targeted with the recently detailed WastedLocker ransomware, Symantec reports.

The threat is believed to be the work of Evil Corp, the Russia-linked cybergang behind the Dridex Trojan and Locky ransomware, as well as ransomware families such as Bart, Jaff, and BitPaymer.

Last week, NCC Group security researchers revealed that the WastedLocker ransomware is being deployed against carefully selected targets and that the SocGholish fake update framework and a custom Cobalt Strike loader are used for malware dissemination.

Shortly after NCC Group’s report, Symantec published their own take on WastedLocker, revealing that at least 31 organizations in the United States have been targeted with the malware.

Given that the company only counts attacks against its own customers, the total number of intended victims might be much higher, Symantec says.

The security firm uncovered the attacks after hackers had breached the networks of targeted organizations and were setting up for the deployment of ransomware.

“The end goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion dollar ransom,” Symantec notes.

Advertisement. Scroll to continue reading.

The company confirms the use of the SocGholish JavaScript-based framework for malware deployment, saying that it was able to track it to over 150 compromised websites, where it masquerades as a software update.

“Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers,” Symantec explains.

Most of the targeted organizations are major corporations, including many household names. The list of intended victims includes large private companies, but also 11 listed companies, eight of which are part of the Fortune 500.

Of the 31 targeted organizations, only one was not U.S. owned, but a U.S.-based subsidiary of an overseas multinational.

The attackers did not focus on targeting a specific sector, but hit multiple industries instead, with manufacturing being affected the most (5 targeted organizations), followed by IT (4 victims) and media and telecommunications (3 victims).

“Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains,” Symantec says.

Update, July 2, 2020: In a short update posted this week, Symantec pointed out that some of the targeted organizations could have been infected through dozens of U.S. newspaper websites that are owned by the same company and which were all compromised by SocGholish injected code.

Related: Dridex Operators Develop ‘WastedLocker’ Ransomware

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...