Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Tens of U.S. Businesses Targeted With WastedLocker Ransomware

At least 31 organizations in the United States have been targeted with the recently detailed WastedLocker ransomware, Symantec reports.

At least 31 organizations in the United States have been targeted with the recently detailed WastedLocker ransomware, Symantec reports.

The threat is believed to be the work of Evil Corp, the Russia-linked cybergang behind the Dridex Trojan and Locky ransomware, as well as ransomware families such as Bart, Jaff, and BitPaymer.

Last week, NCC Group security researchers revealed that the WastedLocker ransomware is being deployed against carefully selected targets and that the SocGholish fake update framework and a custom Cobalt Strike loader are used for malware dissemination.

Shortly after NCC Group’s report, Symantec published their own take on WastedLocker, revealing that at least 31 organizations in the United States have been targeted with the malware.

Given that the company only counts attacks against its own customers, the total number of intended victims might be much higher, Symantec says.

The security firm uncovered the attacks after hackers had breached the networks of targeted organizations and were setting up for the deployment of ransomware.

“The end goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion dollar ransom,” Symantec notes.

The company confirms the use of the SocGholish JavaScript-based framework for malware deployment, saying that it was able to track it to over 150 compromised websites, where it masquerades as a software update.

Advertisement. Scroll to continue reading.

“Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers,” Symantec explains.

Most of the targeted organizations are major corporations, including many household names. The list of intended victims includes large private companies, but also 11 listed companies, eight of which are part of the Fortune 500.

Of the 31 targeted organizations, only one was not U.S. owned, but a U.S.-based subsidiary of an overseas multinational.

The attackers did not focus on targeting a specific sector, but hit multiple industries instead, with manufacturing being affected the most (5 targeted organizations), followed by IT (4 victims) and media and telecommunications (3 victims).

“Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains,” Symantec says.

Update, July 2, 2020: In a short update posted this week, Symantec pointed out that some of the targeted organizations could have been infected through dozens of U.S. newspaper websites that are owned by the same company and which were all compromised by SocGholish injected code.

Related: Dridex Operators Develop ‘WastedLocker’ Ransomware

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.