WastedLocker Can Now ByPass Behavioral Detections in Anti-Malware Software

An important aspect of behavior-based anti-malware software is to identify and prevent frequent sequential file operations, such as quickly opening, editing, and closing the files opened by external applications. WastedLocker ransomware is now using advanced techniques to bypass behavior-based anti-malware tools by exploiting Windows memory management features.


A sequence of maneuvers to evade detection

WastedLocker is abusing the internal working procedure of Windows cache memory.
  • At the beginning of August 2020, Sophos security researchers found that WastedLocker has employed specific techniques to obfuscate its code and perform certain tasks that mirror the subroutines.
  • Moreover, WastedLocker moves the files to Windows cache memory, conducts data encryption, and then writes them back to the original memory location. This makes an impression that only allowed system processes are making edits to the files, thus avoiding suspicion of behavior-based anti-malware solutions.


The BitPaymer and WastedLocker connection

Researchers identified noteworthy similarities between the WastedLocker and BitPaymer code. Thus, it may be a possibility that WastedLocker is an evolutionary descendant of BitPaymer.
  • Both the malware abuse Alternate Data Stream (ADS) and the User Account Control (UAC) bypass technique in the same way. Furthermore, they use similar custom API resolve functions and encryption methods.
  • Both, WastedLocker and BitPaymer use custom ransom notes for every individual victim.


WastedLocker catastrophe

  • First observed in June 2020, WastedLocker ransomware has already hit several targets in association with the Evil Corp gang and demanded millions of USD in payments.
  • The ransomware recently launched attacks on major U.S. corporations, including dozens of U.S. news sites, and smartwatch and wearable maker Garmin.


The bottom line

Attacks by WastedLocker have become more frequent lately. Looking at the enhancements made by its developers, it would be safe to say that these types of attacks will only grow in the near future. As a precautionary measure, security vendors should immediately roll out crucial code updates to users to patch any identified vulnerabilities.