Friday, December 8, 2023

Hackers Abuse Windows Feature To Launch WastedLocker Ransomware to Evade Detection

Recently one of the most dangerous ransomware, WastedLocker, owes its success to a unique bypass mechanism for security solutions and tools that block ransomware.

Initially, WastedLocker appeared this year in May, and it’s a part of the arsenal of the famous cybercriminal group Evil Corp, which is also known as Dridex.

It was used in the dramatic attack on Garmin, which allegedly paid Evil Corp $10 million for a file decryption tool or key. This is one of the latest incidents in a growing number of ransomware attacks against large organizations.

Apart from this, the security researchers at Sophos briefly analyzed WastedLocker and discovered that it uses supplementary tools to evade detection.

Memory trick 

The creators of WastedLocker have conceived a sequence of tactics to agitate behavior-based anti-ransomware solutions. Many ransomware families use code obfuscation to evade detection, but the creators of the WastedLocker have added another layer of protection to it.

As WastedLocker interacts with the Windows API functions straight from memory, where behavior-based ransomware detection tools cannot reach to abuse Windows to launch itself. Here, to evade the security tools, WastedLocker encrypts the files on the compromised system using memory-mapped I/O.

This method allows the ransomware to transparently encrypt cached documents in memory without causing additional disk I/O. When the security tool detects the infection, it gets too late to do anything or take any further actions to defuse it.

The first signs of an attack are the already encrypted files and a ransom note. If attackers manage to gain administrator credentials, then they can easily connect to the VPN or disable the security tools installed on the affected systems.

Code evolution

  • Abuse of Alternate Data Streams (ADS)
  • Customized API resolving method
  • UAC bypass
  • Encryption methods
  • Ransom note composition
  • Similar style of command-line arguments

Moreover, in the absence of two-factor authentication, the threat actors can easily log into RDP, VPN, and admin panels. So, to avoid these types of cyber threats, you should always keep your system OS up to date, use a VPN, a reliable security solution, and a reliable data backup solution.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Users are advised to read the Anti-ransomware checklist and Ransomware Attack Response Checklist


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles