S0612 WastedLocker
WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.123
| Item | Value |
|---|---|
| ID | S0612 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 20 May 2021 |
| Last Modified | 27 September 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | WastedLocker has used cmd to execute commands on the system.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | WastedLocker created and established a service that runs until the encryption process is complete.2 |
| enterprise | T1486 | Data Encrypted for Impact | WastedLocker can encrypt data and leave a ransom note.123 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | WastedLocker‘s custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.2 |
| enterprise | T1083 | File and Directory Discovery | WastedLocker can enumerate files and directories just prior to encryption.2 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | WastedLocker has a command to take ownership of a file and reset the ACL permissions using the takeown.exe /F filepath command.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | WastedLocker has copied a random file from the Windows System32 folder to the %APPDATA% location under a different hidden filename.2 |
| enterprise | T1564.004 | NTFS File Attributes | WastedLocker has the ability to save and execute files as an alternate data stream (ADS).3 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | WastedLocker has performed DLL hijacking before execution.2 |
| enterprise | T1490 | Inhibit System Recovery | WastedLocker can delete shadow volumes.123 |
| enterprise | T1112 | Modify Registry | WastedLocker can modify registry values within the Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry key.2 |
| enterprise | T1106 | Native API | WastedLocker‘s custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.2 |
| enterprise | T1135 | Network Share Discovery | WastedLocker can identify network adjacent and accessible drives.3 |
| enterprise | T1027 | Obfuscated Files or Information | The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.2 |
| enterprise | T1027.001 | Binary Padding | WastedLocker contains junk code to increase its entropy and hide the actual code.2 |
| enterprise | T1120 | Peripheral Device Discovery | WastedLocker can enumerate removable drives prior to the encryption process.3 |
| enterprise | T1012 | Query Registry | WastedLocker checks for specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces.2 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | WastedLocker can execute itself as a service.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0119 | Indrik Spider | 24 |
References
-
Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. ↩↩↩
-
Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021. ↩↩↩↩↩↩
-
Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021. ↩