What happens when one of the most prolific and infamous financially motivated cybercriminal organizations decides to develop a new ransomware strain? Unfortunately for us, this can be answered without conjecture or assumptions. Infamous cybercriminal organization Evil Corp, best known for the Dridex banking malware, answered that question for us in 2017 with the Bitpaymer ransomware. Now, reports have emerged that the group has answered the question for the second time with the development of an entirely new ransomware strain, WastedLocker, which was seen in the wild in May and information released to the public toward the end of June.
What follows is a summary of the infection chain and features that define WastedLocker, as well as a brief history of Evil Corp’s less-than-savory history. Evil Corp’s deeds could fill a textbook on villainy and will be dealt with briefly; this article highlights the threat posed by WastedLocker—and in particular, the threat posed to enterprise networks.
Although it has been widely attributed to Evil Corp, WastedLocker does not have much in common with BitPaymer. One of their main similarities is both include specific victim details in filenames created by the different strains of ransomware. WastedLocker adds victim details along with .wasted to these filenames, which is the reason why it’s called WastedLocker. Other minor similarities include the ransom notes dropped by both strains, which have similar victim naming conventions, email servers and addresses used for contacting the attackers.
Another similarity is their tactics for finding and attacking victims. BitPaymer is well-known for targeting enterprise-specific data storage facilities including file servers, database services, virtual machines and cloud environments. Tools and hardware solutions tend to be used by companies and large organizations; home users often are more dependent on local storage devices. The attackers target shadow copies and backup solutions as a priority if found, which increases recovery time for the victim. In worst-case scenarios, if the victim did not have offsite backups or a robust backup routine, recovery would be impossible. WastedLocker has adopted these tactics, as have many of the so-called “human-operated” ransomware strains wreaking havoc across enterprise networks.
Example of WastedLocker’s ransom demanding message:
Perhaps one saving grace of the malware is that Evil Corp does not seem to have any desire to release stolen information from victims. Often this tactic is used to increase pressure on victims to pay, effectively turning a ransomware incident into a data breach and all the headaches, legal and otherwise, that come with it. BitPaymer never seemed to want to follow this trend, and neither does WastedLocker, another indicator that it was created by Evil Corp. At this point, it is worth mentioning DoppelPaymer, a fork of BitPaymer widely believed to be created by former Evil Corp hackers. DoppelPaymer is known for being an early adopter of threatening to and releasing stolen data. Not only will DoppelPaymer release data, in fact, but the group behind it is also willing to sell data on the Dark Web if the ransom is not paid.
One of the key factors that made it easier for researchers to attribute the creation and distribution of WastedLocker to Evil Corp was the use of the SocGholish fake update framework. In the past Evil Corp used the framework, which typically was masqueraded as a browser update to distribute Dridex. The fake updater was seeded onto several compromised websites and distributed to those unlucky enough to land on one of these sites. With WastedLocker, the framework is used to distribute the CobaltStrike loader rather than the banking malware the group made its name with.
The fake updater boasts several features. For one, the SocGholish framework can detect whether the victim forms part of a larger network, which is vital to groups targeting enterprise networks. If the fake updater detects that it has infected an end user, then further efforts to install WastedLocker are pointless and can be terminated. However, if it determines that the infected machine is part of a much larger network, potentially an enterprise network, then the attacker can proceed. Further, the SocGholish framework can access other bits of information including system information as well as whether the browser is running on a system with elevated privileges. The information is collected and sent to a command and control server, which in turn will send the CobaltStrike payload to the infected machine.
The next phase of the infection chain involves the deployment of the CobaltStrike loader. In this instance, PowerShell is used to download two separate scripts to execute commands, check for various security software suites and work at escalating privileges. The loader also can be used to carry out credential dumping attacks if need be. To initiate the ransomware’s main task of encrypting data, the loader will use legitimate Windows tools, namely PsExec, to launch the command line so that Windows Defender can be disabled. In some instances, it was detected that the malware could even disable real-time monitoring.
It is believed that CobaltStrike can perform these tasks in several ways using a different toolset; however, researchers are yet to see these used in the wild. After CobaltStriker has completed its tasks it will retrieve WastedLocker from a server under the control of the attacker.
WastedLocker’s main aim, as with all successful ransomware strains, is to encrypt data on the victim’s machine and, in this case, encrypt files that would render business operations severely stunted or completely shut down business operations. Before this can occur, the ransomware completes a few tasks so that the encryption process will run as smoothly as possible. Researchers for the NCC Group noted these tasks as follows:
“First, Wastedlocker decrypts the strings which are stored in the .bss section and then calculates a DWORD value that is used later for locating decrypted strings that are related to the encryption process. This is described in more detail in the String encryption section. In addition, the ransomware creates a log file lck.log and then sets an exception handler that creates a crash dump file in the Windows temporary folder with the filename being the ransomware’s binary filename.
If the ransomware is not executed with administrator rights or if the infected host runs Windows Vista or later, it will attempt to elevate its privileges. In short, WastedLocker uses a well-documented UAC bypass method  . It chooses a random file (EXE/DLL) from the Windows system32 folder and copies it to the %APPDATA% location under a different hidden filename. Next, it creates an alternate data stream (ADS) into the file named bin and copies the ransomware into it. WastedLocker then copies winsat.exe and winmm.dll into a newly created folder located in the Windows temporary folder. Once loaded, the hijacked DLL (winmm.dll) is patched to execute the aforementioned ADS.”
Once the above-mentioned tasks are complete, only then will WastedLocker begin its encryption process. WastedLocker will also look for and delete shadow copies found on the victim’s network. This is by no means a new or unique tactic and has been used by countless other ransomware operators. The practical effect of such a tactic is that it can make recovery impossible for corporations that didn’t adequately invest in offsite backups and a robust backup policy. This will increase the likelihood of the victim paying the ransom, as the company will incur losses associated with not being able to do business.
In Evil Corp’s Crosshairs
To say that Evil Corp is solely a financially motivated cybercriminal organization might sound like an oversimplification, but it is not far from the truth. Dridex, BitPaymer and now WastedLocker exist to make money for the operators, and the more the merrier. A simple glance at the targets of the WastedLocker campaign, which was detected by researchers in May, shows why hackers are using this malware. A blog article published by security firm Symantec on the findings of NCC Group revealed 31 enterprises were actively being targeted by Evil Corp. Of those 31, 11 are listed on major stock exchanges, eight of which are Fortune 500 companies. All 31 are U.S. companies, with one a US-based multinational.
The companies targeted came from a wide array of economic sectors, with most in the manufacturing sector, followed closely by companies in the information technology and telecommunications sectors, respectively. Several publications also reported on individual incidents. One article revealed a major U.S. newspaper organization had been a victim. From the reports, Evil Corp is demanding ransoms according to what they think the victims can pay, ranging from $500,000 to millions of U.S. dollars. Given WastedLocker’s newness and how experienced the gang is operating it, no decryptor is available publicly and unless Evil Corp makes a major error, one might not be available for some time.
In defending against a potential WastedLocker attack, enterprises are advised to adopt a robust backup policy and procedure. Additionally, the gang sends out phishing emails with the SocGholish updater as a .zip attachment; therefore, employees should be advised to be careful with emails containing suspicious files or requesting the user updates a program via an email link.
Evil Corp’s Multimillion-Dollar Enterprise
The timing on when a group of hackers decided to work together and form what is now known as Evil Corp might forever be shrouded in mystery. Some believe it was as early as 2007, but most conservative estimates are 2011 when activity started appearing on security researchers’ radars. What is known for sure is that Dridex emerged on the threat landscape in 2014 and has been operated by the gang since then, with some estimating that the banking malware has netted the gang somewhere in the vicinity of $100 million USD. In 2017, Dridex infections tailed off to be replaced by the gang deploying BitPaymer. 2018 was marked by a short partnership with TrickBot malware, which later was supplanted by ransomware rivals Ryuk.
2019 marked a low point for the gang, as two of its members were indicted in a U.S. court and the DoppelPaymer fork was created in all likelihood by ex-Evil Corp affiliates. There was a short period of inactivity that ended in January 2020, and a spike in activity in March that coincided with the COVID-19 pandemic and several nations going into lockdowns. Now we have WastedLocker to contend with, illustrating that cybercrime is not only incredibly damaging to victims, but also incredibly lucrative.