Whenever we came across such news, Russians always caem up in our mind. The Russians hackers are believed to be the most dreadful hackers in all around the world. The number of ransomware they launches and the techniques they uses, is absolutely different from any other group around the world. Following this pattern, researchers from NCC group have come across a new malware variant designed by a well known group of bad actors “Evil Corp”, who were associated with the Dridex malware and BitPaymer ransomware. The malware analyzed is named as “WastedLocker” Ransomware ,which they started investigating in early May 2020. The name WastedLocker has come from two joined words
- First is the file which is created in the victim’s computer named as “Locker”.
- While “waste” word is used to show that the file on which the ransomware attacks, is no more in use.
This new ransomware target the file servers, database services, virtual machines and cloud environments and ultimately can destroy the infrastructure of a particular business application and model. The main aim of this Ransomware is to encrypt the files of the host in which it enters.
ANATOMY AND ANALYSIS OF THE RANSOMWARE
This ransomware takes the support of another trojan to deliver the ransomware on the victim’s system. In the first stage, the attackers will send a trojan named Socgholish into the victim’s system. This malware is a RAT and banking trojan that convinces user to go to fake browser and Flash updates, which convinces the victim to upgrade their software. As soon as update button is clicked, a JavaScript code gets executed which sends all the information to the Socgholish server and in return, it launches a payload in the victim system. The server will return the two power shell scripts which contains cobaltstrike payloads in it. The payloads are obfuscated using a well known crypter CrypterOne. Firstly, the crypter allocates a memory buffer calling the VirtualAlloc API and is decrypted using an XOR based algorithm. After the Ransomware is decrypted, the crypter jumps into the data blob which turns out to be a shell code (powershell scripts) responsible for decrypting the actual payload.The first powershell script will decode the cobaltstrike payload twice which is encoded using base 64 format and then it decrypts the power shell script , then converts the payload into bytes and then find space in the memory to execute it. The second power shell script is used to decode the other two payloads.
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b2818855730510489113678 87aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d88 97db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80bcd ac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8e3bf 41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8ebed063 2acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
Wasted Locker(SHA256)
After the payloads are decrypted, the ransomware creates a log file lck.log and then sets an exception handler that creates a crash dump file in the Windows temporary folder with the filename being the ransomware’s binary filename. The primary target of the ransomware is to get the administrative rights on the system, and if the ransomware is not able to get it, the ransomware uses a a well-documented UAC bypass method to get administrative rights on the system. Then the ransomware process further, and check some registry keys and then change it. Then the ransomware encrypts file in the system. It target files which are Removable, Fixed, Shared and Remote in the system. For each encrypted file, the ransomware creates an additional file that includes the ransomware note describing the end user about the ransom money they are demanding or the instructions to decrypt a file. The encrypted file’s extension is set according to the targeted organisations’ name along with the prefix wasted.
*ORGANIZATION_NAME*
YOUR NETWORK IS ENCRYPTED NOW
USE *EMAIL1* | *EMAIL2* TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]*[end_key]
KEEP IT
Ransom Note
CONCLUSION
The WastedLock Ransomware is one of the most dangerous file-encrypting ransomware which has a structured method of controlling the target. It has modules both for the 32-bit as well as 64-bit architectures. Despite the harmful causes, the ransomware operators have not engaged in extensive information stealing or threatened to publish information about victims in the way that the DoppelPaymer and many other targeted ransomware operators do when ransom is not paid. The researchers also said that they have identified a decrypter that can decrypt the files. We at Ethical Debuggers suggest you to use decrypters at nomoreransom.org rather than paying ransoms to these evil groups .
