Ransomware: The tricks used by WastedLocker to make it one of the most dangerous cyber threats

Security researchers at Sophos detail how WastedLocker avoids detection - and it involves intricate knowledge of how the inner-workings of Windows function.
Written by Danny Palmer, Senior Writer

One of the most dangerous families of ransomware to emerge this year is finding success because it's been built to avoid anti-ransomware tools and other cybersecurity software, according to security company researchers who have analysed its workings.

WastedLocker ransomware appeared in May and has already developed notoriety as a potent malware threat to organisations by encrypting networks and demanding a ransom of millions of dollars in bitcoin in exchange for the decryption key.

One of WastedLocker's most recent high-profile victims has been reported to be wearable tech and smartwatch manufacturer Garmin.

SEE: Security Awareness and Training policy (TechRepublic Premium)

WastedLocker is thought to be the work of Evil Corp, a Russian hacking crew and one of the world's most prolific cyber-criminal groups. One of the reasons they're so successful is because they're always developing and adapting their tools.

Researchers at Sophos have delved into the inner-workings of WastedLocker and found that the malware goes the extra mile to help avoid detection.

The author of the WastedLocker ransomware constructed a sequence of manoeuvres meant to confuse and evade behavior-based anti-ransomware solutions, according to the report.

"It's really interesting what it's doing with mapping in Windows to bypass anti-ransomware tools," said Chester Wisniewski, principal research scientist at Sophos. "That's really sophisticated stuff, you're digging way down into the things that only the people who wrote the internals of Windows should have a concept of, how the mechanisms might work and how they can confuse security tools and anti-ransomware detection," he said.

Many malware families use some code obfuscation techniques to hide malicious intent and avoid detection, but WastedLocker adds additional layers to this by interacting with Windows API functions from within the memory itself, where it's harder to be detected by security tools based on behavioural analysis.

WastedLocker uses a trick to make it harder for behavior based anti-ransomware solutions to keep track of what is going on, by using memory-mapped I/O to encrypt a file. This technique allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O, which can shield it from behavior-monitoring software.

Then, by the time the infection is detected it's too late – often the first sign is when the attackers have pulled the trigger on the ransomware attack and victims find themselves faced with a ransom note demanding millions of dollars.

The attacks are planned carefully, with the cyber criminals very hands-on throughout the entire process, which for WastedLocker means that campaigns often begin with abusing stolen login credentials. If the accounts seized by the crooks provide administrator privileges, then the attackers can ultimately do what they want.

"If they get admin credentials, they can VPN in, they can disable the security tools. If there's no multi-factor they're just going to login to the RDP, VPN and admin tools," said Wisniewski.

He added that the coronavirus pandemic and the resultant rise in remote working has created optimal conditions for cyber criminals to conduct campaigns.

"Because of COVID-19, I think they're having some more success with that. Things that might have only been internally facing are now externally facing and that's another indicator that companies might be compromised," he explained.

SEE: Ransomware: How clicking on one email left a whole business in big trouble

Organisations can go a long way to protecting themselves from falling victim to WastedLocker and other ransomware attacks by employing simple security procedures like not using default passwords for remote login portals and using multi-factor authentication to provide an extra barrier to hackers attempting to gain control of of accounts and systems.

Ensuring that security patches are applied as soon as possible can also help stop organisations falling victim to malware attacks, many of which use long-known vulnerabilities to gain a foothold into networks.

By applying these security practices, organisations can help stay protected against WastedLocker and other threats – but until these security protocols are applied across the board, ransomware will remain a problem.

"The reality is, ransomware is not going away," said Wisniewski.


Editorial standards