The new WastedLocker ransomware was first spotted in May 2020. It was developed by the high-profile Evil Corp group, which previously used the Dridex trojan to deploy BitPaymer ransomware in attacks targeting government organizations and enterprises in the United States and Europe.

Last year, part of the attackers left the group and started their own attacks using DoppelPaymer ransomware based on BitPaymer’s code. After a short pause, the hackers from the Evil Corp continued their attacks and began to prepare a large-scale operation using the new ransomware family.

WastedLocker and BitPaymer have little in common. Initial compromise takes place via the SocGholish fake update framework which is now used to directly distribute a custom CobaltStrike loader. Then, the framework determines whether the infected system is part of the organization’s network, collects additional information about the system, and passes it on to the adversaries. After entering the network, the threat actor uses various toolsets like Cobalt Strike, Mimikatz, Empire, and PowerSploit to facilitate lateral movement across the targeted organization’s environments. More, the Evil Corp uses native operating system functionality (LoLBins) to evade detection and operate under the radar until the start of encryption.

New rules from participants in Threat Bounty program help detect Evil Corp’s malicious activity and WastedLocker ransomware deployment:

WastedLocker Ransomware Hunting (Credential dumping) by Ariel Millahuel:

WastedLocker Ransomware Hunting (Initial access and compromise) by Ariel Millahuel:

WastedLocker Ransomware Hunting (Defense evasion) by Ariel Millahuel:

WastedLocker Ransomware Hunting (Discovery) by Ariel Millahuel:

Wastedlocker a new ransomware variant developed by the evil corp group by Osman Demir:

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness

EDR: Windows Defender ATP, Carbon Black, CrowdStrike, Elastic Endpoint


Tactics: Initial Access, Execution, Impact

Techniques: PowerShell (T1086), Service Execution (T1035), Drive-by Compromise (T1089), Data Encrypted for Impact (T1486)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko