Tens of U.S. Businesses Targeted With WastedLocker Ransomware

At least 31 organizations in the United States have been targeted with the recently detailed WastedLocker ransomware, Symantec reports.

The threat is believed to be the work of Evil Corp, the Russia-linked cybergang behind the Dridex Trojan and Locky ransomware, as well as ransomware families such as Bart, Jaff, and BitPaymer.

Last week, NCC Group security researchers revealed that the WastedLocker ransomware is being deployed against carefully selected targets and that the SocGholish fake update framework and a custom Cobalt Strike loader are used for malware dissemination.

Shortly after NCC Group’s report, Symantec published their own take on WastedLocker, revealing that at least 31 organizations in the United States have been targeted with the malware.

Given that the company only counts attacks against its own customers, the total number of intended victims might be much higher, Symantec says.

The security firm uncovered the attacks after hackers had breached the networks of targeted organizations and were setting up for the deployment of ransomware.

“The end goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion dollar ransom,” Symantec notes.

The company confirms the use of the SocGholish JavaScript-based framework for malware deployment, saying that it was able to track it to over 150 compromised websites, where it masquerades as a software update.

“Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers,” Symantec explains.

Most of the targeted organizations are major corporations, including many household names. The list of intended victims includes large private companies, but also 11 listed companies, eight of which are part of the Fortune 500.

Of the 31 targeted organizations, only one was not U.S. owned, but a U.S.-based subsidiary of an overseas multinational.

The attackers did not focus on targeting a specific sector, but hit multiple industries instead, with manufacturing being affected the most (5 targeted organizations), followed by IT (4 victims) and media and telecommunications (3 victims).

“Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains,” Symantec says.

Update, July 2, 2020: In a short update posted this week, Symantec pointed out that some of the targeted organizations could have been infected through dozens of U.S. newspaper websites that are owned by the same company and which were all compromised by SocGholish injected code.

Related: Dridex Operators Develop ‘WastedLocker’ Ransomware

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft