Fwd: Virus Alert : WastedLocker Ransomware

Virus Alert 

WastedLocker Ransomware

It has been reported that a new ransomware, named as "WastedLocker" is

spreading. The attack is mainly focused on U.S. located organizations of

various industries including manufacturing, media, IT, healthcare and many

more. The ransomware attack is attributed to infamous cybercriminal outfit

"Evil Corp" that was earlier linked to some other dreadful

cyber-attacks also.

Infection Mechanism:

The infection mechanism starts with a malicious JavaScript-based framework

known as "SocGholish" delivered in a zipped file to the victim while

visiting a compromised legitimate website. As reported, at least 150

compromised websites have been discovered. The zipped file contains

malicious JavaScript, masquerading as browser update. Another JavaScript

profiles the computer using various commands like whoami, net user, and net

group and PowerShell is used to download additional scripts.

The next pivotal stage in this attack is to download and execute a loader

from a domain being used to deliver Cobalt Strike threat emulation

software. The loader also contains .NET injector. The injected payload,

known as Cobalt Strike Beacon, can be used to inject other processes and

along with several other tools it can steal credentials, escalate

privileges, and move across the network. Attackers also search all computer

objects in Active Directory database to locate Windows servers and hosts.

Cobalt Strike is also used for credential dumping using "ProcDump".

Before deploying ransomware, attackers disable Windows Defender across

victim's entire network using PowerShell scripts and legitimate tools.

When all the payloads are deployed successfully, Windows Defender is

disabled and services across the organization are stopped, Windows

Sysinternals tool "PsExec" is used to launch WastedLocker ransomware

itself that encrypts the victim's data and deletes Windows shadow volumes

to wipe backups and file snapshots to make recovery impossible.

The threat actors behind this attack are highly experienced and this attack

on victim's network if unidentified and not addressed, can cause

substantial damage.

IOC:

IP Address:

185.189.151.38

185.162.235.167

185.82.127.38

195.123.227.225

38.135.104.189

88.119.175.104

91.219.237.36

91.236.116.63

Domain:

sodality[d0t]mandmsolicitorscom

advokat-hodonin[d0t]info/gate[d0t]php

penaz[d0t]info/gate[d0t]php

lgrarcosbann[d0t]club/index[d0t]php

cofeedback[d0t]com

consultane[d0t]com

feedbackgive[d0t]com

msoftwares[d0t]info

mwebsoft[d0t]com

net-giftshop[d0t]info

rostraffic[d0t]com

traffichi[d0t]com

typiconsult[d0t]com

websitesbuilder[d0t]info

backup[d0t]awarfaregaming[d0t]com

click[d0t]clickanalytics208[d0t]com

connect[d0t]clevelandskin[d0t]com

connect[d0t]clevelandskin[d0t]net

connect[d0t]clevelandskin[d0t]org

cushion[d0t]aiimss[d0t]com

link[d0t]easycounter210[d0t]com

rocket2[d0t]new10k[d0t]com

track[d0t]positiverefreshment[d0t]org

Hashes:

Kindly visit the URL:

stedlocker-ransomware-us

Countermeasures and Best practices for prevention:

Maintain appropriate Firewall policies to block malicious traffic entering

the system/network. Enable a personal firewall on workstation.

Keep updated Antivirus/Antimalware software to detect any threat before it

infects the system/network. Always scan the external drives/removable

devices before use. Leverage anti-phishing solutions that help protect

credentials and against malicious file downloads.

It is also important to keep web filtering tools updated.

Block the IP addresses of known malicious sites to prevent devices from

being able to access them. Activate intelligent website blacklisting to

block known bad websites.

Use limited privilege user on the computer or allow administrative access

to systems with special administrative accounts for administrators.

Block websites hosting JavaScript miners both at the gateway and the

endpoints.

Keep software and OS up-to-date so that attackers may not take advantages

of or exploit known vulnerabilities.

Change default login credentials as they are readily available with

attackers.

Avoid downloading files from untrusted websites.

Go beyond intrusion detection to protect servers with runtime memory

protection

for critical applications and server workloads, ensuring a defense against

actors who already have a grip on your server.

Disable Autorun and Autoplay policies.

Consider using application whitelists to prevent unknown executables from

launching autonomously.

Delete the system changes made by the malware such as files created/

registry entries /services etc.

Monitor traffic generated from client machines to the domains and IP

address mentioned in Installation section.

Disable unnecessary services on agency workstations and servers.

References:

stedlocker-ransomware-us

ed-in-wastedlocker-ransomware-attacks/

ant-developed-by-the-evil-corp-group/