Cause and Effect: WastedLocker Ransomware Analysis

In July of 2020, Tetra assisted an organization in recovering from a WastedLocker ransomware infection. While all strains of ransomware can be devastating, WastedLocker is a relatively new and extremely hazardous one. Active since May of 2020, just two months prior to this case, WastedLocker is prolific in using JavaScript-based malware from over a hundred compromised websites to gain a foothold in victim networks. Many in the information security community believe Evil Corp, the same cybercrime group behind BitPaymer ransomware and Dridex malware, runs WastedLocker.

WastedLocker attacks have targeted individual organizations within the U.S. and at least 13 other countries, maliciously encrypting them using a number of unique strategies and tools. In this particular case, these tools included social engineering, PowerSploit, Cobalt Strike, Remote Desktop Protocol (RDP), and even a fake Google Chrome update. After a successful WastedLocker ransomware attack, all accessible user files on a victim’s network are encrypted, leaving the remaining filename extensions to contain the word “wasted” – hence the ransomware name.

Method of Compromise: Drive-by Download of SocGholish

An organization within the energy industry fell victim to WastedLocker ransomware in a very innocent way: while conducting COVID-19 related research. Unfortunately, during this research, a user on the network browsed an article on a newspaper website that was infected with the SocGholish exploit toolkit.

SocGholish is a Remote Access Trojan (RAT) designed to mimic the look and feel of typical website advertisements. It often prompts a user to download an update of trusted software, that when clicked, downloads a trojan that sets WastedLocker ransomware in motion. The newspaper website in this case automatically downloaded a fake Google Chrome update, complete with a prompt for the user to “launch.” The cooperative and unsuspecting user ran the toolkit and downloaded a trojan, all the while believing they were updating their browser. This activity gave the threat actor remote access to the endpoint.

Symantec reported their confirmation that dozens of U.S. newspaper websites owned by the same parent company were compromised in June, but this method of attack is not unique to newspaper websites. Social engineering of this caliber can mimic other trusted websites in hopes of deceiving unsuspecting users. Symantec also reported “at least 150 other legitimate websites that refer traffic to [other] websites hosting the SocGholish zip file,” which puts its prevalence across the internet into perspective.

  • COVID19 related browser activity

    The malicious website required user interaction.

  • Fake Update with SocGholish Exploit

    When clicked, the trojan was downloaded.

  • PowerShell Cobalt Strike Loader

    This allowed the TA to have remote access.

  • Cobalt Strike Beacon

    Gives visibility of the network to the TA.

  • System Utilities

    Allows for faster deployment of ransomware after recon.

  • WastedLocker Execution

    Malicious encryption, ending with altered filenames.

Evidence of Lateral Movement

Within a few days of gaining access to the victim’s network, forensic examination revealed that the WastedLocker threat actor performed recon on the network and stole user credentials. Tetra’s investigation revealed that the attacker also modified a script via yet another tool: PowerSploit.

PowerSploit is an open-source, offensive security framework comprised of PowerShell modules and scripts designed to perform a wide range of penetration testing tasks (code execution, persistence, bypassing antivirus, recon, and exfiltration). The PowerSploit modules allow attackers several different capabilities, including maintaining access to a victim’s network, bypassing antivirus products and security software, accessing passwords saved in memory, and executing code. In this case, PowerSploit was used to capture network traffic and steal credentials.

Other Threat Actor Tools

Additionally, Tetra identified evidence of resource exhaustion events for other hosts, meaning that the first compromised endpoint (the COVID19 research device) acted as a Machine in the Middle (MITM) to intercept traffic. The threat actor intercepted administrator credentials using this MITM technique and subsequently used those credentials to move laterally to other hosts within the victim’s network.

In the next phase of the attack, Tetra found that Cobalt Strike was used (and then later removed) for further access to the network. Cobalt Strike is an Offensive Security Tool used by both threat actors and legitimate penetration testers to access a network through “command-and-control” over encrypted ports. This tool grants access to these networks covertly, and threat actors also use these stealthy methods to exfiltrate data in a manner that victims may not detect. Tetra found similar evidence of Cobalt Strike execution on several additional hosts on the victim’s network.

The threat actor also used Remote Desktop Protocol (RDP) to move laterally to additional hosts on the victim network. RDP is not only used when logging into a network from a computer outside the local network, but also to access servers or workstations within a local one. Thus, “remote” does not always imply that the connection originated from an outside source. Tetra identified that lateral movement occurred using numerous RDP logins from several compromised machines on the victim’s network, all while using scraped credentials from various user accounts.

Ransomware Deployment

Finally, the threat actor began deploying WastedLocker ransomware to various hosts using RDP and PSExec. PSExec is yet another legitimate system administration tool that can remotely access endpoints as a privileged user. Threat actors commonly use PSExec during their campaigns to move laterally and deploy software.

The WastedLocker ransomware executable name was personalized to reflect the victim’s name on most machines, complete with its intimidating namesake, “wasted.” However, as the malware ran, WastedLocker ransomware also created copies of itself using seemingly innocuous names like Trace.exe, Diag.exe, and Keyboard.exe. WastedLocker established persistence to run after reboot and delete these executables after completion of the encryption process.

Post-Ransomware Deployment Actions

Tetra worked with the organization’s Managed Service Provider (MSP) to isolate infected hosts and also deployed SentinelOne, an endpoint monitoring solution to identify and respond to additional infections. This organization’s MSP continued to rebuild workstations and servers after the ransomware incident. This organization did not pay ransom for decryption of their data because Evil Corp/Dridex, an OFAC-sanctioned organization, is believed to manage the WastedLocker ransomware.

This case in particular relied upon user interaction to initiate the WastedLocker ransomware. The chain of events allowed access to the victim’s network by the threat actor and exploited internal weaknesses to move laterally.

User education might have been helpful in this case, but technical solutions can also be leveraged to prevent this type of attack. According to Drew Hjelm, Senior Director of Digital Forensics and Incident Response at Tetra Defense, “the SocGholish drive-by exploiter is a textbook example of why it’s critical to ensure that that workstations’ operating systems are up-to-date and default settings are configured securely.”

How to Prevent WastedLocker Ransomware

Some other ways to prevent a WastedLocker attack include:

  1. Ensuring that Windows Scripting Host doesn’t run JavaScript files by default. Simply change the default file type behavior.
  2. Blocking SMB traffic to workstations and servers, other than domain controllers and file shares. This can be done at the host-level using the Windows Firewall, using a network firewall, or both.
  3. Blocking servers from being able to communicate with the internet that don’t need that access.
  4. Limiting RDP access to hosts within your network except for trusted hosts.

While ransomware is a simple concept at its core, its methods and subsequent effects can be complex. The fight against this attack is never even — threat actors have proven to target opportunistically with a long list of exploits and mis-used tools. As new threats often come in the shape of trusted sources, whether they be news outlets or internet browsers, it is important to stay up to date with cybersecurity best practices.

Check out some related content on our blog: