Initial spreading
Drive-by Compromise https://attack.mitre.org/techniques/T1189/
Fake Google Chrome updates that are delivered to victims via drive-by download attacks when victims browse compromised websites. The initial malware is delivered to victims in the form of a ZIP archive that contains a malicious JavaScript file.
Theoretical mitigations: Application Isolation and Sandboxing, Exploit Protection, Restrict Web-Based Content, Update Software
Real-world mitigations: None
Execution, discovery
WastedLocker use Microsoft PowerShell, PSExec , Windows Management Instrumentation (WMI), Procdump, cmd,
Theoretical mitigations: Privileged Account Management, User Account Management, Filter Network Traffic, Privileged Account Management, Code Signing, …….
Real-world mitigations: None
Turn off Antivirus/endpoint security
WastedLocker tries to disable Antivirus/endpoint security, including Symantec Endpoint Protection, Windows Defender, and Cisco AMP for Endpoints.
Theoretical mitigations: Restrict File and Directory Permissions, Restrict Registry Permissions, User Account Management
Real-world mitigations: None
Encrypts files
The ransomware uses the AES algorithm to encrypt files. It appends the extension .eswasted to the original file names. For example, a resulting file name might be example.doc.eswasted.
Theoretical mitigations: None
Real-world mitigations: None
Why none of these sophisticated solutions work?
1 The initial triger is inevitable when human are using computer
2 WastedLocker using ligitemate softwares from Microsoft(including Windows system or Microsoft SysInternals Suite)
3 Antivirus don’t have the new virus signature yet
4 No one can recovery files without decryption key
Reference:
https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html
Ransomware 7 – Common sense to prevent Ransomware