Friday, May 24, 2024

Hackers Abuse Windows Feature To Launch WastedLocker Ransomware to Evade Detection

Recently one of the most dangerous ransomware, WastedLocker, owes its success to a unique bypass mechanism for security solutions and tools that block ransomware.

Initially, WastedLocker appeared this year in May, and it’s a part of the arsenal of the famous cybercriminal group Evil Corp, which is also known as Dridex.

It was used in the dramatic attack on Garmin, which allegedly paid Evil Corp $10 million for a file decryption tool or key. This is one of the latest incidents in a growing number of ransomware attacks against large organizations.

Apart from this, the security researchers at Sophos briefly analyzed WastedLocker and discovered that it uses supplementary tools to evade detection.

Memory trick 

The creators of WastedLocker have conceived a sequence of tactics to agitate behavior-based anti-ransomware solutions. Many ransomware families use code obfuscation to evade detection, but the creators of the WastedLocker have added another layer of protection to it.

As WastedLocker interacts with the Windows API functions straight from memory, where behavior-based ransomware detection tools cannot reach to abuse Windows to launch itself. Here, to evade the security tools, WastedLocker encrypts the files on the compromised system using memory-mapped I/O.

This method allows the ransomware to transparently encrypt cached documents in memory without causing additional disk I/O. When the security tool detects the infection, it gets too late to do anything or take any further actions to defuse it.

The first signs of an attack are the already encrypted files and a ransom note. If attackers manage to gain administrator credentials, then they can easily connect to the VPN or disable the security tools installed on the affected systems.

Code evolution

  • Abuse of Alternate Data Streams (ADS)
  • Customized API resolving method
  • UAC bypass
  • Encryption methods
  • Ransom note composition
  • Similar style of command-line arguments

Moreover, in the absence of two-factor authentication, the threat actors can easily log into RDP, VPN, and admin panels. So, to avoid these types of cyber threats, you should always keep your system OS up to date, use a VPN, a reliable security solution, and a reliable data backup solution.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Users are advised to read the Anti-ransomware checklist and Ransomware Attack Response Checklist


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles