1. Home
  2. Software
  3. WastedLocker

WastedLocker

WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.[1][2][3]

ID: S0612
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 1.1
Created: 20 May 2021
Last Modified: 25 March 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.[2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

WastedLocker has used cmd to execute commands on the system.[2]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

WastedLocker created and established a service that runs until the encryption process is complete.[2]

Enterprise T1486 Data Encrypted for Impact

WastedLocker can encrypt data and leave a ransom note.[1][2][3]

Enterprise T1140 Deobfuscate/Decode Files or Information

WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.[2]
Enterprise T1083 File and Directory Discovery

WastedLocker can enumerate files and directories just prior to encryption.[2]
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

WastedLocker has a command to take ownership of a file and reset the ACL permissions using the takeown.exe /F filepath command.[2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

WastedLocker has copied a random file from the Windows System32 folder to the %APPDATA% location under a different hidden filename.[2]
.004 Hide Artifacts: NTFS File Attributes

WastedLocker has the ability to save and execute files as an alternate data stream (ADS).[3]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

WastedLocker has performed DLL hijacking before execution.[2]
Enterprise T1490 Inhibit System Recovery

WastedLocker can delete shadow volumes.[1][2][3]

Enterprise T1112 Modify Registry

WastedLocker can modify registry values within the Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry key.[2]
Enterprise T1106 Native API

WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.[2]
Enterprise T1135 Network Share Discovery

WastedLocker can identify network adjacent and accessible drives.[3]
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

WastedLocker contains junk code to increase its entropy and hide the actual code.[2]
.013 Obfuscated Files or Information: Encrypted/Encoded File

The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.[2]

Enterprise T1120 Peripheral Device Discovery

WastedLocker can enumerate removable drives prior to the encryption process.[3]
Enterprise T1012 Query Registry

WastedLocker checks for specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces.[2]
Enterprise T1569 .002 System Services: Service Execution

WastedLocker can execute itself as a service.[2]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.[2]

Groups That Use This Software

ID Name References
G0119 Indrik Spider

[2][4][5][6]

References

  1. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  2. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  3. Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
  1. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  3. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.