WastedLocker is a relatively new ransomware family which has been tracked in the wild since April/May 2020. The name comes from the ‘wasted’ string which is appended to encrypted files upon infection. Similar to families like Maze and NetWalker, WastedLocker has been attacking high-value targets across numerous industries. Their campaigns have targeted several United States-based Fortune 500 companies as well.
Leveraging SocGholish & Cobalt Strike
Once victims have been compromised via SocGholish, Cobalt Strike is used to laterally move as well as gain additional profile data on the targeted hosts or environment. Prior to delivering the WastedLocker payload, attackers typically disable core Windows Defender features, as well as deleting Volume Shadow Copies. Additional LOTL-style tools are also often observed in the campaigns. For example, in some cases PsExec will be used to initiate the launch of the WastedLocker ransomware. PowerShell and WMIC are also sometimes utilized in profiling and tuning the environment.
Hiding via NTFS’ Alternate Data Stream
WastedLocker has an affinity for running with administrative privileges. If the payload is executed with non-administrative permissions, it will attempt to elevate privileges via UAC bypas (Mocking Trusted Directories).
Once elevated, the ransomware will write a copy of a random file from System32 to the
%APPDATA% directory. The newly copied file will have a random and hidden filename. This process allows for the ransomware to copy itself into the file by way of an alternate data stream (ADS).
This is followed by the creation of a new folder in
%TEMP% which contains copies of WINMM.DLL and WINSAT.EXE. The
%TEMP% copy of WINMM.DLL is then leveraged to execute the ransomware from the previously generated alternate data stream.
WastedLocker Encryption Routine
The encryption style does not differ significantly from other prominent ransomware families. WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives. Once the eligible drives are located, the ransomware will begin the encryption process.
All file types are potential candidates for encryption; however, the ransomware does contain a ‘whitelist’ of sorts, with directories and extensions to exclude from encryption. This functionality can vary across campaigns. Files are encrypted via AES (Cipher Block Chaining mode + IV / Initialization Vector) with keys generated for each encrypted file. The AES keys (+IV) are then encrypted using a RSA-4096 public key.
The ransom notes contain a base64 representation of the RSA public key. Encrypted files will be renamed with a combination of the targeted companies name along with the string “wasted”. For example, if the non-existent company “Turbo Chicken Audio” were infected, the files would look something like “file.pdf.turbochickenaudiowasted’ (from file.pdf). The example below shows a set of encrypted files post-infection (partially redacted for privacy).
For each encrypted file, an additional file will be created with “_info” appended to the end of the file extension. These individual files are the ransom notes. Each ransom note also contains the company/target name and an encoded copy of the public key specific to the host. This is in addition to very limited instructions on how to engage the attackers and potentially “get the price for” the encrypted data. Victims are instructed to email the attackers for further instructions.
The email addresses provided are associated with public, secure, email providers (ex: ProtonMail, Eclipso, Tutanota, and Airmail). An example ransom note is below (partially redacted for privacy).
It is also important to note that some analyzed samples support specific command-line parameters. The following are examples of supported parameters:
-p (path) Encrypt specified folder/directory before continuing to the rest of the drive/device
-r Multi-Purpose: Delete VSS, create a copy of the payload in SYSTEM32, create the ransomware’s service entry and execute
-f (path) Only encrypt file in the specified directory/folder
Most samples analyzed execute with the
-r parameter by default, such as:
Persistence is achieved via system service. However, the service is removed once the encryption process has completed. Additional tools are used to manipulate the file system and suppress any requests for user input and/or confirmation. For example,
choice.exe is leveraged to set file attributes as well as delete files (the service executable) when needed.
cmd.exe (choice.exe) /c choice /t 10 /d y & attrib -h "C:UsersxxxxxxAppDataRoamingIndex" & del "C:UsersxxxxxxAppDataRoamingIndex"
cmd.exe (choice.exe)" & del "C:UsersxxxxxMusicwastlock_5.exe"
Upon launching, and as part of the
-r parameter, the ransomware process has to take ownership of the copy of the payload dropped into SYSTEM32. This is achieved via commands similar to the following:
takeown.exe /F C:Windowssystem32Setup2.exe
Basic VSSADMIN commands are used for deletion of Volume Shadow copies; for example:
vssadmin.exe Delete Shadows /All /Quiet
WastedLocker is just one more example of the highly-aggressive ransomware families following in the footsteps of REvil, NetWalker, and others. Prevention, in these attacks, is absolutely critical. Stopping the attackers before they gain any traction is the most effective way to protect you and your sensitive data. This will especially be true should the actors behind WastedLocker decide to leak the data of their victims. SentinelOne’s Endpoint Protection and Singularity platform are the most robust and powerful tools at the disposal of today’s defenders.
Indicators & IOCs
Hide Artifacts: Hidden Files and Directories T1564
Hide Artifacts: NTFS File Attributes T1564
System Services: Service Execution T1569
Abuse Elevation Control Mechanism: Bypass User Access Control T1548
Native API T1106
Command and Scripting Interpreter T1059
File Permissions Modification T1222
Command-Line Interface T1059
Data Encrypted for Impact T1486
Inhibit System Recovery T1490