We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/Macaw.A
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This ransomware encrypts the data on your disk and can stop you from using your device or accessing your data. It encrypts files, renders them inaccessible, and demands payment for the decryption key.
The Macaw ransomware is an updated version of WastedLocker ransomware, and has been active since October 2021. In this human-operated ransomware campaign, attackers first gain administrative rights, perform lateral movement and establish persistence, before manually deploying the Macaw ransomware using acquired privileges.
For information about ransomware, read these blog posts:
- Human-operated ransomware attacks: A preventable disaster
- Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do
- Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
- Human-operated ransomware
There is no one-size-fits-all response if you have been targeted by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.
To help reduce the impact of this threat, you can:
- Isolate affected devices and investigate them to identify the credentials used by attackers. Macaw is often deployed using PsExec with a compromised domain administrator account.
- Investigate credential exposure on devices used by the attacker to ensure all accounts that could have been compromised by the attacker are identified.
- Search for additional persistence mechanisms, such as scheduled tasks.
- Investigate Active Directory to determine if any accounts were created by the attacker for network persistence.
Microsoft Defender Antivirus detects and remediates files associated with Macaw ransomware. Microsoft Defender for Endpoint detects behaviors associated with Macaw pre-ransom activities. Additionally, using Tamper Protection can help defend against turning off security tools. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
You can also visit our advanced troubleshooting page or search the Microsoft community for more help.
