Content, Content, Ransomware

WastedLocker Ransomware Attacks: Symantec Research Offers Details

At least 31 U.S.-based large corporations have been attacked by a relatively new brand of targeted ransomware to force the victims to meet the unknown cyber gangs’ demand for millions in ransom.

Related Update, July 2020: Smartwatch maker Garmin suffers WastedLocker ransomware attack.

The ransomware is known as WastedLocker and is thought to be attributed to the Evil Corp cyber crew involved in the BitPaymer operation that netted its backers millions. Two Russian operatives, already under open indictments in the U.S., are said to be involved in the WastedLocker subterfuge.

All the known WastedLocker attacks were launched against Symantec’s customers, the security provider said in a new report. The cyber assailants were in the process of staging the ransomware attacks when Symantec, which discovered the infiltration while examining unusual behavior on some of its customers’ networks, interrupted the potential score. U.K.-based security and risk consultant NCC Group first documented the malware just ahead of Symantec’s outreach to its customers.

Symantec declined to name the affected organizations but allowed that all but one are located in the U.S. and most are major, recognizable corporations. Included are 11 listed companies, eight of which are Fortune 500 businesses. The one non-U.S. owned company is a subsidiary of a multinational conglomerate headquartered overseas. The mugged organizations engaged in manufacturing, information technology and media and communications.

Had Symantec not intervened, “successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains,” Symantec said. The security specialist has alerted all of its customers struck by the malware.

Here’s how the attacks work: (via Symantec)

  • A malicious JavaScript-based framework known as SocGholish is delivered to the victim in a zipped file via compromised legitimate websites. Symantec said it found some 150 different legitimate websites referring traffic to websites hosting the SocGholish zip file.
  • The zipped file contains malicious JavaScript, masquerading as a browser update. A second JavaScript file profiles the computer and uses PowerShell to download additional discovery related PowerShell scripts.
  • Once the attackers gain network access, they use Cobalt Strike commodity malware with living-off-the-land tools to steal credentials, escalate privileges, and move across the network to deploy WastedLocker on multiple computers.
  • PowerShell is used to download and execute a loader from a domain publicly reported as being used to deliver Cobalt Strike as part of WastedLocker attacks. The loader also shares a command and control domain with this reported Cobalt Strike infrastructure. An injected payload, known as Cobalt Strike Beacon, is used to execute commands, inject other processes, elevate current processes or impersonate other processes, and upload and download files.
  • Privilege escalation is performed using a publicly documented technique involving the Software Licensing User Interface tool, a command line utility responsible for activating and updating the Windows operating system.
  • The attackers use the Windows Management Instrumentation Command Line Utility to execute commands on remote computers, such as adding a new user or execute additional downloaded PowerShell scripts.
  • The attackers launch a legitimate command line tool for managing Windows Defender to disable scanning of all downloaded files and attachments, remove all installed definitions, and, in some cases, disable real-time monitoring.
  • Finally, the Windows Sysinternals tool PsExec is used to launch the WastedLocker ransomware, which then begins encrypting data and deleting shadow volumes.

“The attackers behind this threat appear to be skilled and experienced, capable of penetrating some of the most well protected corporations, stealing credentials, and moving with ease across their networks,” the researchers said. “As such, WastedLocker is a highly dangerous piece of ransomware. A successful attack could cripple the victim’s network, leading to significant disruption to their operations and a costly clean-up operation.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.