Ransom:Win32/WastedLocker.WT!MTB

Arrival

Operators typically deploy WastedLocker on enterprise networks during a breach. In one campaign, operators lure users into downloading a fake web browser update. When a user launches a JavaScript in the fake .zip update, it runs a malicious code that eventually allows campaign operators to deploy Cobalt Strike, escalate privileges, move laterally to other devices, obtain domain admin access to the target device, and deliver the ransomware payload using the PsExec tool.

Initialization

When launched, this ransomware collects information about the device and identifies files for encryption.

Turns off antivirus software

Attackers use the PsExec tool to turn off Microsoft Defender and its related activities like scanning downloaded files.

Bypasses user account control

Service creation for encryption

The ransomware registers a service for file encryption. It copies itself to C:\Windows/system32/<randomname>.exe and creates a service that loads the same file with an –s parameter using this registry entry:

HKLM\SYSTEM\ControlSet001\services\<random_name>

When the service is started, it begins to encrypt files. After encryption, the ransomware stops the service and deletes it.

Encrypts files

The ransomware uses the AES algorithm to encrypt files. It appends the extension .eswasted to the original file names. For example, a resulting file name might be example.doc.eswasted. It drops a ransom note for each encrypted file, using the same file name with “_info” appended to the name. For example, if the name of the encrypted file is example.doc.ewasted, the ransom note file is named example.doc.eswasted_info.

The ransom note contains the following message:

The ransomware excludes operating system files from encryption so that the device can continue to function normally. It also excludes certain files and folders, including the Program Files and AppData folders and files with .exe, .dll, .htm, .bat, .ps1, and .bin extensions.

Deletes shadow copies

After encrypting the files, this ransomware deletes shadow copies of files and system volumes to prevent recovery of encrypted files. It uses the following command to delete shadow copies:

C:\Windows\system32\vssadmin.exe Delete Shadowszxzx /All/Quiet

Files used in this analysis

This ransomware has multiple variants that exhibit varying behaviors. This analysis is based on the following sample:

8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80 (SHA-256)