Shulou(Shulou.com)05/31 Report--

This article will explain in detail the case analysis of WastedLocker blackmail software activities. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Overview of blackmail software

Recently, Unit42 researchers have observed an increase in the activity of WastedLocker ransomware, which has increased recently since WildFire analyzed the initial sample of the ransomware in May 2020. WastedLocker is similar to ransomware such as Samsa, Maze, EKANS, Ryuk and BitPaymer, but it is different from the ransomware that infects target users on a large scale, such as WannaCry. Ransomware such as WastedLocker is generally aimed at organizations with a large number of assets to obtain as much data ransom as possible by deploying as much of the extortion software as possible to the internal systems of the target organization in a short period of time.

Attack target

Based on the information provided by the threat intelligence platform, AutoFocus and Unit42 have been able to identify the main targets of the attackers behind WastedLocker. Most of the target organizations are located in the United States, covering a number of areas, including professional legal services, utilities, the energy industry, manufacturing, wholesale and retail, high-tech companies, engineering companies, pharmaceutical and life science companies, as well as transportation and logistics.

Technical detail analysis

Initial infection vector

According to Symantec's previous analysis of WastedLocker, the most common initial infection mechanism for WastedLocker attacks is to upgrade the ZIP file disguised as legitimate software in Xi'an, which contains malicious SocGholish JavaScript framework loader components that can analyze the target user's computer system and use PowerShell to deploy the final Cobalt Strike Payload.

Horizontal activity

When Cobalt Strike Payload is successfully installed on the target user's system, the attacker will use the Payload to conduct horizontal penetration in the target user's network system and help the attacker identify other systems that can be attacked. In addition, the researchers also found that WastedLocker attackers will try legitimate Windows utilities, such as WMI and PsExec, to attack. For those high-value target users of blackmail software, attackers will also directly attack the target user's customer-facing financial / business operating system, as well as internal systems with high visibility and high usage, including data backup systems.

The final attack on Payload

Finally, once the attacker has completed the full reconnaissance of the target network, the attacker will use one or more system management tools to install and deploy the WastedLocker blackmail software Payload. When a malicious Payload is executed on the target host, the ransomware will do the following:

If the ransomware does not have administrator privileges, the malware will attempt to elevate privileges on the target system.

Malware attempts to disable the Windows Defender monitoring process on the target system

Delete shadow copy files on the target system

Install ransomware / malware as a system service

After the installation is complete, the deployment of Payload is complete, and the encrypted files have been encrypted successfully. The ransomware uses "wasted" as the suffix for the encrypted file, but the prompt file containing the blackmail information is suffixed with the name "wasted_info".

We analyzed the "* .wasted _ info" extortion information file and found that the variable data showed between "". This may be because attackers using WastedLocker blackmail software may have different emails, including PROTONMAIL.CH, AIRMAIL.CC, ECLIPSO.CH, TUTANOTA.COM, and PROTONMAIL.COM.

Samples of extortion information are as follows:

YOUR NETWORK IS ENCRYPTED NOW USE | TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key] [end_key] KEEP IT's case analysis of WastedLocker ransomware activities ends here. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.