zephyr_p - stock.adobe.com

Evil Corp’s latest ransomware project spreading fast

A new ransomware strain dubbed WastedLocker is spreading rapidly and targeting major corporations

The Russian cyber criminal gang known as Evil Corp appears to be operating a new ransomware strain, WastedLocker, which has been in widespread circulation since May 2020, according to researchers at NCC’s Fox-IT unit.

Evil Corp had scaled back its activity following the indictment of two of its higher-profile alleged members in the US in 2019 – Igor Turashev and Maksim Yakubets are wanted for their role in the creation and dissemination of the Bugat/Dridex and Zeus banking trojans.

However, threat researchers Nikolaos Pantazopoulos, Stefano Antenucci and Michael Sandee said that even though “business” associations can be fairly fluid in organised cyber criminal gangs, with partnerships and affiliations formed and dissolved at the drop of a hat, they were able to assess with a high degree of confidence that Evil Corp is behind WastedLocker.

They said the group has access to highly skilled exploit and software developers and puts a lot of effort into bypassing endpoint protection solutions – in one case even posing as a legitimate customer to get a free trial out of a cyber security supplier. They are known to be well-experienced, patient and persistent, with a high degree of attention to detail.

WastedLocker – so named because it adds an extension to encrypted files that consists of the victim’s name and the string “wasted”, is thought to be a replacement for the group’s three-year-old BitPaymer strain, with little code reuse or similarities.

It infects its targets via a malicious JavaScript framework, SocGholish, which disguises itself as a software update and, according to Symantec, has been tracked to more than 150 compromised websites. Once inside its target, it uses CobaltStrike commodity malware to steal credentials, escalate privileges and move laterally through the network to deploy WastedLocker on as many machines as possible.

Symantec said that through its own analytics tool, it has to date detected WastedLocker attacks on 31 organisations, all of them in the US, mostly major corporations. It said 11 of them were listed, and eight were Fortune 500 companies.

Erich Kron, one of KnowBe4’s security awareness advocates, said he was not terribly surprised to see Evil Corp back on the scene.

“Now it seems we know why they were gone for a little while – they were working on this new strain of ransomware,” said Kron. “I’ve often joked about products that are marketed as new and improved; however, in this case, that does seem to be the truth.

“A lot of effort went into writing this, apparently from scratch, where generally we can expect to see a variant of a previous strain, or at least some code reuse, within the new product. Interestingly enough, it seems the only similarities lie in the ransom note.”

Unlike others, Evil Corp has not yet adopted the tactic of threatening to publish stolen information on its victims, and Kron noted this was quite unusual, although he added that it might simplify things for Evil Corp – in that it doesn’t have to deal with storing and publishing any exfiltrated data, or risk exposing itself during the theft.

Read more about ransomware

“Their price tags are big enough that we can assume they will be happy with getting just a few victims to pay up,” said Kron. “They do seem to have a pretty good plan that covers how to make that happen by targeting specific types of servers and looking for backups wherever they can find them. Once ransomware encrypts your backups, your choices become very limited as to how to proceed.”

Although Evil Corp appears to be using WastedLocker to target businesses for now, Steve Moore of Exabeam said the past 12 months have proved beyond any doubt how damaging ransomware can be – particularly for public sector agencies and government bodies – and said the stakes in 2020 will be even higher as the US presidential election approaches.

“The cyber security community will need to step up in this time of need and provide a way for federal and state election systems to lock down on foreign interference and ransomware,” he said. “This will require government entities to assign cyber professionals and task force teams to prepare any new system to function entirely remotely while staying locked down and uninfluenced by external or internal bad actors.

“There are steps that agencies and organisations can take to increase their chances of detecting and disrupting and motivated adversaries. These attacks are simple in delivery, yet difficult to prevent – especially since infections usually disguise themselves as innocent attachments or email links.

“Agencies can educate their staff, but there’s no guarantee someone won’t slip up eventually – it only takes one, especially while working from home.”

Moore added that commodity security controls were, by and large, unable to keep up with the pace of ransomware development and update, so the fightback needed to be geared to changing and reducing undocumented business processes that hide within inbound emails, and giving greater capabilities to security teams, such as behavioural analytics and machine learning.

Read more on Hackers and cybercrime prevention

Data Center
Data Management