WastedLocker is a ransomware orchestrated by the cybercriminal organization known as Evil Corp, previously associated with other malware families, including Dridex and BitPaymer. Rather than attacks of opportunity, WastedLocker attacks are carefully directed, and each version of WastedLocker is custom-built for an intended target.
Speculation within the cybersecurity community suggests that Evil Corp likely probes the security defenses of prospective targets with initial strikes to establish a foothold while determining what defensive structures exist and whether they can be exploited. If an organization is found to be a viable target, initial strikes are followed by more concerted secondary strikes that are tailored to circumvent whatever security measures were uncovered in the initial attacks.
Instrumental to the success of their attacks, Evil Corp is particularly adept at using WastedLocker to locate and encrypt an organization’s file backups (as properly kept backups are one of the more effective counters in sapping the overall impact ransomware can have). In doing so, target organizations have fewer choices when dealing with cybercriminal extortion attacks, and may feel more compelled to submit to ransom payments – which in the case of Evil Corp, have ranged between $500,000 to over $10 million in Bitcoin
How WastedLocker works
Evil Corp have largely used WastedLocker to target databases, file servers, cloud environments, and virtual machines located in the United States, as well as select targets throughout Europe. These attacks have comprised multiple stages, with small initial attacks that pave the way for a more concerted thrust.
One of the methods Evil Corp uses to initially compromise target organizations is to embed fake software update alerts on existing websites. These phony prompts urge users to follow simple, seemingly legitimate instructions that ultimately infect their system with what amounts to scouting malware for the larger WastedLocker attack to come. The malware employed at this point in the attack isn’t technically WastedLocker, but malware designed to establish a foothold and gather information on the network and its potential weaknesses in preparation for a subsequent WastedLock attack.
Once this digital beachhead has been established and a system’s defenses have been mapped, only then will Evil Corp deploy the WastedLocker ransomware to seek out and encrypt sensitive information within the target system.