Detection Content: WastedLocker Ransomware

The new WastedLocker ransomware was first spotted in May 2020. It was developed by the high-profile Evil Corp group, which previously used the Dridex trojan to deploy BitPaymer ransomware in attacks targeting government organizations and enterprises in the United States and Europe.

Last year, part of the attackers left the group and started their own attacks using DoppelPaymer ransomware based on BitPaymer’s code. After a short pause, the hackers from the Evil Corp continued their attacks and began to prepare a large-scale operation using the new ransomware family.

WastedLocker and BitPaymer have little in common. Initial compromise takes place via the SocGholish fake update framework which is now used to directly distribute a custom CobaltStrike loader. Then, the framework determines whether the infected system is part of the organization’s network, collects additional information about the system, and passes it on to the adversaries. After entering the network, the threat actor uses various toolsets like Cobalt Strike, Mimikatz, Empire, and PowerSploit to facilitate lateral movement across the targeted organization’s environments. More, the Evil Corp uses native operating system functionality (LoLBins) to evade detection and operate under the radar until the start of encryption.

New rules from participants in Threat Bounty program help detect Evil Corp’s malicious activity and WastedLocker ransomware deployment:

WastedLocker Ransomware Hunting (Credential dumping) by Ariel Millahuel: https://tdm.socprime.com/tdm/info/ohVpL4U6RLYd/Db4eLnMBPeJ4_8xcypLC/?p=1

WastedLocker Ransomware Hunting (Initial access and compromise) by Ariel Millahuel: https://tdm.socprime.com/tdm/info/cexuKikgrGxH/-ZccLnMBQAH5UgbB-SXj/?p=1

WastedLocker Ransomware Hunting (Defense evasion) by Ariel Millahuel:
https://tdm.socprime.com/tdm/info/kNavqYGJrev8/yppbM3MBQAH5UgbBHWAp/?p=1

WastedLocker Ransomware Hunting (Discovery) by Ariel Millahuel:
https://tdm.socprime.com/tdm/info/NuV0JT0Mu2xi/AZdZM3MBSh4W_EKG6zKf/?p=1

Wastedlocker a new ransomware variant developed by the evil corp group by Osman Demir: https://tdm.socprime.com/tdm/info/PYGGqXXI8HiF/GIRtFHMBSh4W_EKG3ChF/?p=1

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness

EDR: Windows Defender ATP, Carbon Black, CrowdStrike, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Initial Access, Execution, Impact

Techniques: PowerShell (T1086), Service Execution (T1035), Drive-by Compromise (T1089), Data Encrypted for Impact (T1486)