It has been reported that a new ransomware, named as "WastedLocker" is
spreading. The attack is mainly focused on U.S. located organizations of
various industries including manufacturing, media, IT, healthcare and many
more. The ransomware attack is attributed to infamous cybercriminal outfit
"Evil Corp" that was earlier linked to some other dreadful
known as "SocGholish" delivered in a zipped file to the victim while
visiting a compromised legitimate website. As reported, at least 150
compromised websites have been discovered. The zipped file contains
profiles the computer using various commands like whoami, net user, and net
group and PowerShell is used to download additional scripts.
The next pivotal stage in this attack is to download and execute a loader
from a domain being used to deliver Cobalt Strike threat emulation
software. The loader also contains .NET injector. The injected payload,
known as Cobalt Strike Beacon, can be used to inject other processes and
along with several other tools it can steal credentials, escalate
privileges, and move across the network. Attackers also search all computer
objects in Active Directory database to locate Windows servers and hosts.
Cobalt Strike is also used for credential dumping using "ProcDump".
Before deploying ransomware, attackers disable Windows Defender across
victim's entire network using PowerShell scripts and legitimate tools.
When all the payloads are deployed successfully, Windows Defender is
disabled and services across the organization are stopped, Windows
Sysinternals tool "PsExec" is used to launch WastedLocker ransomware
itself that encrypts the victim's data and deletes Windows shadow volumes
to wipe backups and file snapshots to make recovery impossible.
The threat actors behind this attack are highly experienced and this attack
on victim's network if unidentified and not addressed, can cause
Kindly visit the URL:
Countermeasures and Best practices for prevention:
Maintain appropriate Firewall policies to block malicious traffic entering
the system/network. Enable a personal firewall on workstation.
Keep updated Antivirus/Antimalware software to detect any threat before it
infects the system/network. Always scan the external drives/removable
devices before use. Leverage anti-phishing solutions that help protect
credentials and against malicious file downloads.
It is also important to keep web filtering tools updated.
Block the IP addresses of known malicious sites to prevent devices from
being able to access them. Activate intelligent website blacklisting to
block known bad websites.
Use limited privilege user on the computer or allow administrative access
to systems with special administrative accounts for administrators.
Keep software and OS up-to-date so that attackers may not take advantages
of or exploit known vulnerabilities.
Change default login credentials as they are readily available with
Avoid downloading files from untrusted websites.
Go beyond intrusion detection to protect servers with runtime memory
for critical applications and server workloads, ensuring a defense against
actors who already have a grip on your server.
Disable Autorun and Autoplay policies.
Consider using application whitelists to prevent unknown executables from
Delete the system changes made by the malware such as files created/
registry entries /services etc.
Monitor traffic generated from client machines to the domains and IP
address mentioned in Installation section.
Disable unnecessary services on agency workstations and servers.