Ransomware6-How does WastedLocker work in the real world

Initial spreading

Drive-by Compromise https://attack.mitre.org/techniques/T1189/

Fake Google Chrome updates that are delivered to victims via drive-by download attacks when victims browse compromised websites. The initial malware is delivered to victims in the form of a ZIP archive that contains a malicious JavaScript file.

Theoretical mitigations: Application Isolation and Sandboxing, Exploit Protection, Restrict Web-Based Content, Update Software

Real-world mitigations: None

Execution, discovery

WastedLocker use Microsoft PowerShell, PSExec , Windows Management Instrumentation (WMI), Procdump, cmd,

Theoretical mitigations: Privileged Account Management, User Account Management, Filter Network Traffic, Privileged Account Management, Code Signing, …….

Real-world mitigations: None

Turn off Antivirus/endpoint security

WastedLocker tries to disable Antivirus/endpoint security, including Symantec Endpoint Protection, Windows Defender, and Cisco AMP for Endpoints.

Theoretical mitigations: Restrict File and Directory Permissions, Restrict Registry Permissions, User Account Management

Real-world mitigations: None

Encrypts files

The ransomware uses the AES algorithm to encrypt files. It appends the extension .eswasted to the original file names. For example, a resulting file name might be example.doc.eswasted.

Theoretical mitigations: None

Real-world mitigations: None

Why none of these sophisticated solutions work?

1 The initial triger is inevitable when human are using computer

2 WastedLocker using ligitemate softwares from Microsoft(including Windows system or Microsoft SysInternals Suite)

3 Antivirus don’t have the new virus signature yet

4 No one can recovery files without decryption key

Reference:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WastedLocker.WT!MTB&ThreatID=2147758335

https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html

Ransomware 7 – Common sense to prevent Ransomware