What is WastedLocker ransomware and how to protect against it

Like most ransomware, WastedLocker attacks computers running Windows. However, WastedLocker is a big game hunter

WastedLocker attacks large corporations and asks for huge ransoms. While many ransomware attacks ask for a few hundred dollars, it demands millions of dollars.

The hacker group behind WastedLocker is very well organized. Since the early years of this century, the team has been in operation and has earned more than $100 million.

Here is our list of the best ransomware tools that will protect against WastedLocker:

  1. CrowdStrike Falcon Insight (EDITOR’S CHOICE) Provides two levels of protection through a full anti-malware package on each device and a cloud-based threat hunter that gathers activity reports from endpoint units. Installs on Windows, macOS, and Linux. Get a 15-day free trial.
  2. ManageEngine DataSecurity Plus This large package is delivered in four units, which can be purchased individually and they provide data protection methods to block ransomware tempering. Runs on Windows Server. Get a 30-day free trial.
  3. Bitdefender GravityZone This package of malware protection and backup software is available in editions to suit different sizes of businesses. Runs on Windows, macOS, and Linux.

Who is behind WastedLocker ransomware?

WastedLocker is a product of Evil Corp, which is also known as Indrik Spider. This is a Russian hacker group that had its first success with Zeus, a banking Trojan. The most famous product of this group was Dridex, a banking Trojan that earned a lot of money. Dridex was active from 2011 to 2020, and it was developed as an enhancement of Zeus.

The Evil Corp group is led by Maksim Yakubets and Igor Turashev. In December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued an arrest warrant for the pair. In addition, it offered a reward of $5 million for information leading to their arrest. But, unfortunately, they still haven’t been arrested.

The main reason for the US authorities’ interest in Evil Corp is Dridex, not the WastedLocker ransomware. However, the serious attention of the US security agencies forced Evil Corp to reassess all of its activities, and the group went quiet, temporarily, through to early 2020.

The source of WastedLocker ransomware

Evil Corp first developed ransomware in 2017 with the Bitpaymer crypter. This was a “big game hunter”, which was aimed at large corporations, and asked for large ransoms. Bitpaymer was the forerunner of WastedLocker ransomware.

Bitpaymer was launched in 2017, targeting hospitals in the UK. Attacks then moved on to focus on large US corporations. The ransomware’s delivery mechanism was based on Dridex modules.

In 2019, Evil Corp created a variant of Bitpaymer, called DoppelPaymer, a Ransomware-as-a-Service system. RaaS allows other hackers to use a ransomware system for a fee without letting them access the code.

In May 2020, the group launched WastedLocker as a replacement for Bitpaymer. The new ransomware shares some procedural similarities to Bitpaymer, but with completely different code.

WastedLocker attacks are highly tailored. Not only does the group conduct extensive research to gain entry to a network, but it produces different modules for each attack and a targeted ransom note. The group is also able to adjust an attack as it happens. In some cases, network managers have been able to spot and remove the WastedLocker dropper, causing the group to drop a stealthier replacement manually.

The start of a WastedLocker attack

The majority of the targets for the WastedLocker ransomware have been large US corporations. The victim sees a popup when visiting specific sites that advise them to update their browser. The popup, when pressed, downloads a zip file, which contains a JavaScript module called SocGolish.

The websites that popups appear on are not properties of Evil Corp. Rather, they are owned and run by legitimate organizations, and the Evil Corp group has managed to infect them. News websites are regularly targeted for this infection.

The module installs and executes PowerShell scripts and the Cobalt Strike backdoor. This gives the hackers entry, and they will use both manual and automated methods to proceed with the attack.

What happens in a WastedLocker ransomware attack?

The hacker’s starting point is an endpoint on the system that got the Cobalt Strike backdoor installed. Using experience and a toolkit of system scanning services, the hacker then builds up a profile of user accounts on the endpoint and connections through to other endpoints across the network. The hacker will also investigate backup processes and drop files to get them uploaded to the backup server to trigger a ransomware infection.

At this point, activity is more along the lines of an advanced persistent threat than a ransomware attack. Tools include systems to capture credentials and access a user’s account on the accessed device through a remote access system that enables the hacker to acquire the user’s identity and communicate with others in the organization.

The reconnaissance phase of the attack allows the hacker to move across the network to locate major file stores and database servers, which will become infection targets. Once the team leader is satisfied that enough high-value targets have been acquired, the WastedLocker ransomware is activated.

WastedLocker encryption

The ransomware performs several tasks before it launches encryption. It deletes all shadow copies of working documents that are generated by autosave functions. It will also disable Windows Defender, elevate its account access to Administrator, and install the encryption process as a service.

The system generates a different encryption key for each file. This is an AES cipher with a 256-bit key. Those keys are then listed in a file, which is encrypted with a 4096-bit RSA cipher. This is the public key, which encrypted the files. RSA uses a different key to decrypt. This cannot be derived from the encryption key. Therefore, knowing the public key is no use to the victim. However, it can be used as a reference code for the decryption process. The RSA key pairs seem to be generated offsite, and the public key is sent to the target system while the private key is held on the Evil Corp server for delivery after payment.

The WastedLocker does not encrypt system files or executables, so the computer is still operational. However, it will encrypt working files, such as documents, spreadsheets, images, video, and audio files. It also encrypts database storage files. Rather than just working through a computer alphabetically or starting with the first contacted computer, WastedLocker identifies the most critical data store and begins with what seems to be its highest value directory.

Each file is overwritten with its encrypted version. The filename then gets an extra extension added to it. This is the name of the target company and wasted, for example, a file called expenses.docx on a computer in a company called NewWorks, Inc. will end up with the name expenses.docx.newworkswasted. The encryption process also generates a ransom note for each encrypted file. The note’s text is the same in every case, so you only have to open one of them. This is a text file and has the same name as the encrypted file but with _info. So, in the case of the example, the associated ransom note would be expenses.docx.newworkswasted_info.

The ransom note has the following format:

<victim name>

YOUR NETWORK IS ENCRYPTED NOW

USE <actor email 1> | <actor email 2> TO GET THE PRICE FOR YOUR DATA

DO NOT GIVE THIS EMAIL TO 3RD PARTIES

DO NOT RENAME OR MOVE THE FILE

THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:

[begin_key]<base64 encoded public key>[end_key]

KEEP IT

The email addresses used for contact are used only for one attack. They are always on the following domains:

Once the attack has encrypted all of the target files on the victim’s system that can be reached, the ransomware process ends. It doesn’t continue with other attack strategies, such as deleting files or infecting the boot process. Any new files created after the attack will not be encrypted.

Recovering from a WastedLocker attack

There is no way to decrypt files that have been encrypted during a WastedLocker ransomware attack without paying the ransom. The AES encryption that converts the files is uncrackable, and so is the RSA encryption that protects the list of AES keys. There are no cybersecurity consultancies that offer a decryption service.

The best way to recover from an attack without paying is to ensure that you have backups of all critical files, and that your backup process and stores are all very well protected. As the Evil Corp group uses manual exploration and will move around the system for as long as it takes to get all the essential data stores, those backup locations usually also get encrypted.

WastedLocker ransom demands range between $500,000 and $10 million. The most famous attack to date was against US technology firm Garner in October 2020. The company was asked for $10 million. No one knows whether the company paid that total amount. However, they did pay because they got the decryption key. So it seems that the Evil Corp group is prepared to negotiate.

Defending against WastedLocker ransomware

The good news is that WastedLocker is no longer active. However, its successor, called Hades, is in circulation. This is very close to WastedLocker but has some extra obfuscation features to be regarded as WastedLocker II.

The best defense lies in intelligent cybersecurity, susceptible, and sensitive data, which has additional regulations surrounding its use and protection. Here are three cybersecurity packages that provide competent defense against WastedLocker ransomware.

Our methodology for selecting a ransomware tool that will protect against WastedLocker

We reviewed the market for anti-ransomware systems that can prevent or recover from WastedLocker and other ransomware strains and assessed tools based on the following criteria:

  • Malware blocker for Windows – the target operating system for WastedLocker
  • User education to spot social engineering and phishing
  • Browser security to identify fake websites that impersonate well-known corporate sites
  • Popup blocker
  • Blacklist of known hacker domains
  • Free trial or a demo that enables an assessment before buying
  • Value for money from a system that can block all types of malware and automated threats, not just WastedLocker

1. CrowdStrike Falcon Insight (Editor’s Choice)

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is an endpoint detection and response (EDR) package. It includes a coordinating module to create enterprise-wide protection. The endpoint agent installs on Windows, macOS, and Linux and the overseer is a cloud-based service.

Key Features:

  • AI-Powered Detection: Uses artificial intelligence to identify and prioritize threats effectively.
  • Real-Time Monitoring: Continuously monitors endpoint activity and analyzes data in real-time.
  • Comprehensive Attack Visibility: Provides detailed visibility into attack paths and adversary context.
  • Rapid Response: Features Real Time Response (RTR) for direct system access and automated threat mitigation.
  • Integrated Threat Intelligence: Leverages advanced threat intelligence to enhance detection accuracy.

Why do we recommend it?

An adaptable threat such as WastedLocker needs a flexible detection system. The CrowdStrike Falcon Insight system includes AI processes to spot unusual activity, which can extend beyond malware to catch intrusion. The system is able to disconnect a computer, leaving a local module to fight the infection, while protecting the rest of the network.

The combination of device protection and system monitoring is an excellent defense against ransomware systems such as WastedLocker and Hades. The on-site modules use anomaly detection, enabling it to spot brand new malware or seemingly genuine activities performed by legitimate user accounts. The EDR will isolate devices if it spots suspicious activity. It can also delete malware files and kill processes. The endpoint protection system is fully autonomous, and it can be bought separately. It is marketed as CrowdStrike Falcon Prevent.

The cloud-based module is a threat hunter that relies on uploads of activity logs from the endpoint agents. This gets threat intelligence feeds from CrowdStrike that update its data search strategies. The coordinator will inform all endpoints of detected threats, whether identified in the data or notified by an endpoint.

Who is it recommended for?

Insight has two elements, which are Falcon Prevent, installed on each device, and then the Falcon Insight SIEM on the cloud. So, this is a package of tools rather than a single product. This makes the service very effective but it also makes it expensive. This solution is suitable for mid-sized and large organizations.

Pros:

  • Unified Console: Offers a single platform for managing endpoint, identity, cloud, and data protection.
  • Managed Detection and Response (MDR): Provides 24/7 managed threat hunting and response services.
  • Scalability: Easily scales to accommodate growing security needs.
  • Endpoint Detection and Response (EDR): Delivers continuous and comprehensive endpoint visibility to detect, investigate, and respond to advanced threats.
  • Cloud-Native Architecture: Built on a cloud-native architecture, no need to host the system on your own servers.

Cons:

  • Pricey: The system relies on the installation of an EDR on every computer, which can be expensive.

You can get a 15-day free trial of Falcon Prevent.

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is a sensitive data protector designed for businesses that need to comply with HIPAA, PCI DSS, and other data privacy standards.

Key Features:

  • File Auditing: Audit, monitor, receive alerts on, and report on all file accesses and modifications in real-time.
  • Data Leak Prevention: Detect, disrupt, and respond to sensitive data leaks via USB devices, emails, printers, and more.
  • Data Risk Assessment: Perform content inspection and contextual analysis to discover sensitive data in files and classify it based on vulnerability.
  • File Analysis: Analyze disk space usage, manage junk data, identify at-risk data, and analyze file permissions.

Why do we recommend it?

Businesses that manage sensitive data need a data loss prevention system, such as ManageEngine DataSecurity Plus. This service discovers the locations of data and then scours it for instances of special information, such as PII. This search will be adapted according to a data security standard, including GDPR, PCI DSS, HIPAA, or FISMA.

The system includes an eDiscovery module that identifies sensitive data stores and categorizes the types of data held there. This enables you to increase security measures for those locations. In addition, the defense system of DataSecurity Plus is implemented as a file integrity monitor (FIM). This will spot encryption actions immediately and block them.

The system examines the processes that try to access sensitive data stores and measures their intent. The package will then block any malicious activity by killing processes and suspending compromised user accounts.

Who is it recommended for?

As well as protecting sensitive data, this tool has user activity tracking and file integrity monitoring services. These modules will detect automated or manual malicious actions. The package watches data exfiltration points, such as FTP connections, emails, and detachable storage. This should help to block ransomware that steals data for disclosure.

Pros:

  • Cloud Protection: Track your organization’s web traffic, scrutinize the use of shadow web apps, and enforce policies to block inappropriate or malicious web content.
  • Email Security: Inspect email attachments for restricted content, warn employees against policy violations, and prevent leakage of confidential files via email attachments.
  • Ransomware Response: Proactively detect and shut down the spread of potential ransomware attacks by isolating infected devices from the network with automated threat responses.
  • Insider Threat Detection: Monitor all file activities, removable device usage, data transfers, application use, and more 24/7 to spot and respond to anomalous activities.

Cons:

  • No SaaS version: This is a software package for Windows Server.

DataSecurity Plus is an on-premises software package that installs on Windows Server. It is available for a 30-day free trial.

3. Bitdefender GravityZone

Bitdefender GravityZone

Bitdefender GravityZone is a bundle of cyber defense systems that work very well in combination to protect against WastedLocker and Hades. The most important defense is its managed backup service.

Key Features:

  • Advanced Anti-Exploit: Protects vulnerable applications from exploits by monitoring memory access routines and blocking exploit techniques.
  • Machine Learning Anti-Malware: Uses machine learning models trained on billions of file samples to predict and block advanced attacks.
  • Process Inspector: Continuously monitors running processes for suspicious activities and takes remediation actions.

Why do we recommend it?

Bitdefender GravityZone is the ideal package for combatting the classic ransomware attack that encrypts data and then expects a payment to decrypt it. The two elements of the GravityZone system are an antivirus and a backup service. The package even scans files for infection on the way in and out of the backup repository.

GravityZone implements malware scanning at several points of the system. It scans endpoints and all files downloaded onto them. The system also guards access to the backup store, scanning every file before letting it on. That even includes manually commanded transfers.

The GravityZone package has a vulnerability scanner and a patch manager to reduce your attack surface. There is also a file integrity monitor in there as a last resort. GravityZone implements automated responses. It can isolate a device as soon as it spots suspicious activity. That will limit the potential damage that WastedLocker and Hades could cause.

Who is it recommended for?

Bitdefender produces GravityZone in a range of editions that suit different business types. For example, there is an edition for home offices and another for managed service providers. The package is affordable and easy to set up. However, this service alone won’t protect your business against the data theft strategy of ransomware such as WastedLocker.

Pros:

  • Fileless Attack Protection: Detects and blocks fileless attacks that evade traditional antivirus solutions.
  • Ransomware Mitigation: Proactively detects and shuts down ransomware attacks to prevent data encryption.
  • Network Attack Defense: Stops attacks aiming to exploit network vulnerabilities.

Cons:

  • Not Strong on Data Loss Prevention: Focuses on malware protection.

Bitdefender GravityZone is a software package that runs as a virtual appliance. It is available for a one-month free trial.