Wastedlocker Ransomware

The Evil Corp group targets victims with WastedLocker Ransomware; uses multiple unknown distribution methods including SocGholish. SocGholish is a fake update framework, which is delivered to the victim in a zipped file via compromised websites.

  • As per NCCGroup, who first published details of the WastedLocker Ransomware operated by Evil Corp group, the ransomware first appeared in May 2020.

  • The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string ‘wasted’.

  • The distribution method uses a fake update framework called as SocGholish. Once the zipped downloaded file from fake compromised website runs on system, it sends information gathered from the infected system to the SocGholish server which, in turn, delivers a payload to the victim system.

  • According to the researchers, the Evil Corp group seems to put a lot of effort into bypassing endpoint protection products; this observation is based on the fact that when a certain version of their malware is detected on victim networks the group is back with an undetected version and able to continue after just a short time.

  • It appears the group regularly finds innovative but practical approaches to bypass detection in victim networks based on their practical experience gained through the years.

  • In one case, they successfully compromised a target over 6 months after their initial failure to obtain privileged access. They also display attention to detail by, for example, ensuring that they obtain the passwords to disable security tools on a network prior to deploying the ransomware.

  • Instead of including a list of extension targets, WastedLocker includes a list of directories and extensions to exclude from the encryption process. And it targets drive types like Removable, Fix, Shared, Remote.