The Evil Corp Threat Group that was behind the Dridex banking Trojan and BitPaymer ransomware has started using a new ransomware variant in targeted attacks on enterprises. Wastedlocker is a brand-new ransomware variant that has already been used in attacks on around a dozen enterprises. Victims have been issued with ransom demands ranging from $500,000 to more than $1 million.
WastedLocker ransomware was first detected by NCC Group’s Fox IT researchers in May 2020, although the researchers believe the ransomware has been developed over several months. The ransomware is being distributed by leveraging the SocGholish fake update framework, which is loaded onto hacked websites, and a custom Cobalt Strike loader. Cobalt Strike is leveraged to gain access to devices and further compromise the victim’s network. The researchers believe other methods are also being used to distribute the ransomware, but they have not yet been identified.
Many of the latest ransomware variants being used in attacks are deployed manually and prior to encrypting files, data is exfiltrated. The attackers then threaten to publish or sell the data if the ransom demand is not paid. REvil is not engaging in such activities, at least not at the moment. Since REvil did use these tactics with BitPaymer, the researchers believe that REvil is attempting to stay under the radar and not attract too much attention.
The attacks so far have been highly targeted, with each attack tailored for each victim. REvil are targeting file servers, database services, virtual machines and cloud environments, and are attempting to also delete/encrypt backups to prevent recovery without paying the ransom.
Rather than encrypt specific file types, the ransomware will encrypt all files that are not in a list of exceptions, and files in specific directories will also be left untouched as will files smaller than 10 bytes. Encrypted files are given the .wasted extension along with the initials of the victim, e.g .nnwasted. A ransom note is created for each encrypted file that is appended with _info.
The ransom demand is not fixed. Victims are required to email the attackers to find out how much they must pay to decrypt their files. At this stage, there is no free decryptor for the ransomware. Recovering files from backups is the only option other than paying the ransom demand.