WastedLocker Ransomware Launched Attacks Against U.S. Organizations

Recently, Fox-IT researchers identified a new WastedLocker ransomware variant deployed by the Evil Corp group. Now it has been identified that the some Russian hacker’s group has changed a number of TTPs related to their recent operations.

What’s new this time

Now, Symantec researchers have reported that attackers were preparing to attack dozens of U.S. corporations. It is believed that the total number of attacks may be much higher than believed earlier.
  • WastedLocker ransomware operators, Evil Corp, attempted to launch attacks against at least 31 organizations, including 8 Fortune 500 companies.
  • Evil Corp attackers are using the SocGholish framework as an initial attack vector, which masquerades as a software update. More than 150 legitimate websites referred traffic to websites hosting the SocGholish zip file.
  • After gaining access to the victim’s network, attackers use the Cobalt Strike commodity malware in tandem with a number of living-off-the-land tools to carry out credential dumping using ProcDump and to clean-off the log files.
  • Organizations in a diverse range of sectors - Manufacturing, Information Technology, Media, and Telecommunications - were on the target list.

Past campaigns using SocGholish

In recent attacks, hackers have been observed using SocGholish, a malicious toolkit, to trick the victims that they need to upgrade their software to deploy different malware on the compromised websites.
  • In February this year, SocGholish campaigns used fake update-themed web pages to trick potential victims into downloading NetSupport RAT or Chthonic banking malware.
  • In September 2019, a SocGholish (FakeUpdates) campaign, using the Domen toolkit, leveraged compromised websites with the fake browser and software update alerts and spread NetSupport Manager RAT.

Conclusion

Though WastedLocker is a newly developed ransomware, it is still not designed to steal the data or to threaten the victims of publishing the stolen data, which has become a trend with several other ransomware families like Maze and DopplePaymer.