News Featured Latest Remote print server gives anyone Windows admin privileges on a PC DOJ: SolarWinds hackers breached emails from 27 US Attorneys’ offices BlackMatter ransomware gang rises from the ashes of DarkSide, REvil Amazon gets $888 million GDPR fine for behavioral advertising DarkSide ransomware gang returns as new BlackMatter operation Remote print server gives anyone Windows admin privileges on a PC BlackMatter ransomware gang rises from the ashes of DarkSide, REvil FBI warns investors of fraudsters posing as brokers and advisers Downloads Latest Most Downloaded Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Virus Removal Guides Latest Most Viewed Ransomware How to remove the PBlock+ adware browser extension Remove the Toksearches.xyz Search Redirect Remove the Smashapps.net Search Redirect Remove the Smashappsearch.com Search Redirect Remove Security Tool and SecurityTool (Uninstall Guide) How to remove Antivirus 2009 (Uninstall Instructions) How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller Locky Ransomware Information, Help Guide, and FAQ CryptoLocker Ransomware Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ Tutorials Latest Popular How to make the Start menu full screen in Windows 10 How to install the Microsoft Visual C++ 2015 Runtime How to open an elevated PowerShell Admin prompt in Windows 10 How to Translate a Web Page in Google Chrome How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Deals Categories eLearning IT Certification Courses Gear + Gadgets Security Forums More Startup Database Uninstall Database File Database Glossary Chat on Discord Send us a Tip! Welcome Guide Home News Security New WastedLocker Ransomware distributed via fake program updates New WastedLocker Ransomware distributed via fake program updates By Lawrence Abrams June 23, 2020 03:12 PM 1 The Russian cybercrime group known as Evil Corp has added a new ransomware to its arsenal called WastedLocker. This ransomware is used in targeted attacks against the enterprise. The Evil Corp gang, also known by CrowdStrike as Indrik Spider, started as affiliates for the ZeuS botnet. Over time, they formed into a group that focused on distributing the banking trojan and downloader called Dridex via phishing emails. As their attacks evolved, the group created a ransomware called BitPaymer which was delivered via the Dridex malware in targeted attacks against corporate networks. In a new report by NCC Group's Fox-IT security research team, researchers explain that after the indictment of Evil Corp members, Igor Olegovich Turashev and Maksim Viktorovich Yakubets, the hacking group began restructuring their tactics. As part of this restructure, Evil Corp has begun distributing a new ransomware variant called WastedLocker in targeted attacks against businesses. "Evil Corp are selective in terms of the infrastructure they target when deploying their ransomware. Typically, they hit file servers, database services, virtual machines and cloud environments. Of course, these choices will also be heavily influenced by what we may term their ‘business model’ – which also means they should be able to disable or disrupt backup applications and related infrastructure," Fox-IT researcher Stefano Antenucci (@Antelox) explains in the report. To deliver the ransomware, Evil Corp is hacking into sites to insert malicious code that displays fake software update alerts from the SocGholish fake update framework. Below is an example fake software update seen in other malware campaigns. Example Fake software update alerts Source: BleepingComputer One of the payloads sent in these attacks is the Cobalt Strike penetration testing and post-exploitation toolkit, which Evil Corp uses to gain access to the infected device. The threat actors then use this access to compromise the network further and deploy the WastedLocker Ransomware. Fox-IT noted that unlike DoppelPaymer attacks, a ransomware created by a group who split from Evil Corp in 2019, WastedLocker attacks do not appear to steal data before encrypting files. "It is interesting that the group has not appeared to have engaged in extensive information stealing or threatened to publish information about victims in the way that the DoppelPaymer and many other targeted ransomware operations have. We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public," Antenucci theorized. Taking WastedLocker for a spin When launched, the WastedLocker ransomware will pick a random EXE or DLL file under C:\Windows\System32 and use that file's name to create a new file without an extension under the %AppData% folder. Ransomware executable in %AppData% Source: BleepingComputer Attached to this file is an alternative data stream named 'bin', which will then be executed. Alternate Data Stream Source: BleepingComputer According to Fox-IT, once executed, the ransomware will attempt to encrypt all drives on the computer, skipping files in specific folders or containing certain extensions. "Instead of including a list of extension targets, WastedLocker includes a list of directories and extensions to exclude from the encryption process. Files with a size less than 10 bytes are also ignored and in case of a large file, the ransomware encrypts them in blocks of 64MB." These attacks are targeted, which means that the ransomware is built specifically to target a company. As part of this customization, the ransomware will combine the 'wasted' string and the company's initials to generate an extension that is appended to a victim's encrypted files. For example, as shown below, the extension is .eswasted, with 'es' being the victim's initials. If Acme Corporation was the victim, it might be .acwasted. WastedLocker encrypted files Source: BleepingComputer For every file that is encrypted, WastedLocker will also create an accompanying ransom note ending with _info. For example, if Acme Corporation's files were encrypted, the 1.doc file would be encrypted and renamed to 1.doc.acwasted, and a ransom note will be created called 1.jpg.acwasted_info, as shown below. WastedLocker ransom note Source: BleepingComputer This tactic is strange, as no program can open it automatically compared to a ransom note using the .txt extension. This ransom note contains both a protonmail.com and tutanota.com email address and instructions to contact them for the ransom amount. Antenucci told BleepingComputer that these ransom demands range from $500,000 to millions of dollars. WastedLocker appears to be secure at this point, which means there is no way to decrypt files for free. Related Articles: New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions The Week in Ransomware - July 30th 2021 - €1 billion saved DoppelPaymer ransomware gang rebrands as the Grief group Insurance giant CNA reports data breach after ransomware attack Ransomware Bitcoin Wallet Frozen by UK Court to Recover Ransom IOCs Associated WastedLocker files: Ransom note text: BitPaymer DoppelPaymer Dridex Evil Corp Ransomware WastedLocker Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. Previous Article Next Article Comments BlueCreeper512 - 1 year ago I love how they named themselves, "Evil Corp", like it wasn't obvious already. Community Rules Not a member yet? Register Now You may also like: Popular Stories Google to block logins on old Android devices starting September PyPI packages caught stealing credit card numbers, Discord tokens To receive periodic updates and news from BleepingComputer, please use the form below. Follow us: News Downloads Virus Removal Guides Tutorials Startup Database Uninstall Database File Database Glossary Forums Forum Rules Chat Welcome Guide Sitemap About BleepingComputer Contact Us Send us a Tip! Advertising Write for BleepingComputer Social & Feeds Changelog Terms of Use - Privacy Policy - Ethics Statement Copyright @ 2003 - 2021 Bleeping Computer® LLC - All Rights Reserved Not a member yet? Register Now Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT { "@context": "https://schema.org", "@type": "NewsArticle", "url": "https://www.bleepingcomputer.com/news/security/new-wastedlocker-ransomware-distributed-via-fake-program-updates/", "headline": "New WastedLocker Ransomware distributed via fake program updates", "name": "New WastedLocker Ransomware distributed via fake program updates", "mainEntityOfPage": { "@type": "WebPage", "id": "https://www.bleepingcomputer.com/news/security/new-wastedlocker-ransomware-distributed-via-fake-program-updates/" }, "description": "The Russian cybercrime group known as Evil Corp has added a new ransomware to its arsenal called WastedLocker. This ransomware is used in targeted attacks against the enterprise.", "image": { "@type": "ImageObject", "url": "https://www.bleepstatic.com/content/posts/2020/06/smoke-header.jpg", "width": 1280, "height": 450 }, "author": { "@type": "Person", "name": "Lawrence Abrams", "url": "https://www.bleepingcomputer.com/author/lawrence-abrams/" }, "keywords": ["BitPaymer","DoppelPaymer","Dridex","Evil Corp","Ransomware","WastedLocker","Security","InfoSec, Computer Security"], "datePublished": "2020-06-23T15:12:55-04:00", "dateModified": "2020-06-25T11:07:39-04:00", "publisher": { "@type": "Organization", "name": "BleepingComputer", "url": "https://www.bleepingcomputer.com/", "logo": { "@type": "ImageObject", "url": "https://www.bleepstatic.com/logos/bleepingcomputer-logo.png", "width": 700, "height": 700 } } } // validate comment box not empty function validate_comment_box_not_empty() { $('#frm_comment_box').submit(function(e) { if($('#comment_html_box').val().length==0) { alert("Please enter a comment before pressing submit"); return false; } else { return true; } }); } function cz_strip_tags(input, allowed) { allowed = (((allowed || '') + '') .toLowerCase() .match(/<[a-z][a-z0-9]*>/g) || []) .join(''); // making sure the allowed arg is a string containing only tags in lowercase (<a><b><c>) var tags = /<\/?([a-z][a-z0-9]*)\b[^>]*>/gi, commentsAndPhpTags = /<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi; return input.replace(commentsAndPhpTags, '') .replace(tags, function($0, $1) { return allowed.indexOf('<' + $1.toLowerCase() + '>') > -1 ? $0 : ''; }); } function cz_br2nl(str) { var regex = /<br\s*[\/]?>/gi; //var pure_str = str.replace(regex,"\n"); var pure_str = str.replace(regex,""); return cz_strip_tags(pure_str,''); } $(document).ready(function(e) { // validate comment box not empty validate_comment_box_not_empty(); // report comment $('#comment-report-other-reason-wrap').css('display','none'); $('.cz-popup-close').click(function(e) { e.preventDefault(); $('.cz-popup').fadeOut("slow"); }); $('.cz-comment-report-btn').click(function(e) { e.preventDefault(); $('.cz-popup').css('height',$( document ).height()+'px'); //var comment_box_report_top = $(this).offset().top; var comment_box_report_top = $(document).scrollTop(); $('.cz-popup-wrapp').css('top',(comment_box_report_top+100)+'px'); $('#comment-id-report').val($(this).attr('data-id')); $('.cz-popup').fadeIn("slow"); }); $("input[type='radio'][name='comment-report-reason']").click(function(e) { if($(this).val()=='Other') { $('#comment-report-other-reason-wrap').css('display','block'); } else { $('#comment-report-other-reason-wrap').css('display','none'); } }); $('.comment-report-submit-btn').click(function(e) { e.preventDefault(); var comment_report_reason = ""; var comment_report_reason = $("input[type='radio'][name='comment-report-reason']:checked").val(); if (comment_report_reason=='Other') { comment_report_reason = $('#comment-report-other-reason').val(); } if(comment_report_reason=='') { alert('Please specify reason'); } else { $('.cz-popup-report-submiting').css('display','inline-block'); $.ajax({ type: "POST", url: 'https://www.bleepingcomputer.com/report-comment/', data: { comment_id: $('#comment-id-report').val(), reason: comment_report_reason }, success: function(data) { $('.cz-popup-report-submiting').css('display','none'); $('.cz-popup').fadeOut("slow"); } }); } }); // report comment $('.cz_comment_reply_btn').click(function(e) { e.preventDefault(); $('#parent_comment_id').val($(this).attr('data-id')); $('#comment_html_box').attr('placeholder','Replying to '+$(this).attr('data-name')); var comment_box_top = $('.cz-post-comment-wrapp').offset().top; $("html, body").animate({ scrollTop: comment_box_top-100 }, 600); $('#comment_html_box').focus(); }); $('.cz_comment_quote_btn').click(function(e) { e.preventDefault(); var quote_comment_html =''; if($(this).attr('data-id')!=undefined && $(this).attr('data-id')!='') { $('#parent_comment_id').val($(this).attr('data-id')); quote_comment_html = $('#comment_html_'+$(this).attr('data-id')).html(); } quote_comment_html = cz_br2nl(quote_comment_html); $('#comment_html_box').val('"'+quote_comment_html+'"\n\n'); var comment_box_top = $('.cz-post-comment-wrapp').offset().top; $("html, body").animate({ scrollTop: comment_box_top-100 }, 600); $('#comment_html_box').focus(); }); }); function editForm(cid) { $.ajax({ type: "GET", url: window.location.href+"?sa=1", data: { f: "e", cid: cid }, success: function(data) { $('.cz-post-comment-wrapp').html(data); validate_comment_box_not_empty(); } }); var comment_box_top = $('.cz-post-comment-wrapp').offset().top; $("html, body").animate({ scrollTop: comment_box_top-100 }, 600); } $(document).on('click', '.cz-subscribe-button' , function(e) { e.preventDefault(); $.ajax({ type: "POST", url: window.location.href, data: { a: 'sub' }, success: function(data) { if(data == '1') $( "li.cz-subscribe-button" ).replaceWith( '<li aria-label="Unsubscribe from comments" title="Unsubscribe from comments" class="cz-unsubscribe-button"><a href="#"></a></li>'); } }); }); $(document).on('click', '.cz-unsubscribe-button' , function(e) { e.preventDefault(); $.ajax({ type: "POST", url: window.location.href, data: { a: 'unsub' }, success: function(data) { if(data == '1') $( "li.cz-unsubscribe-button" ).replaceWith( '<li aria-label="Subscribe to comments" title="Subscribe to comments" class="cz-subscribe-button"><a href="#"></a></li>'); } }); }); // validate comment box not empty function validate_comment_box_not_empty() { $('#frm_comment_box').submit(function(e) { if($('#comment_html_box').val().length==0) { alert("Please enter a comment before pressing submit"); return false; } else { return true; } }); } function cz_strip_tags(input, allowed) { allowed = (((allowed || '') + '') .toLowerCase