Skip to content

S0612 WastedLocker

WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.123

Item Value
ID S0612
Associated Names
Type MALWARE
Version 1.0
Created 20 May 2021
Last Modified 27 September 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell WastedLocker has used cmd to execute commands on the system.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service WastedLocker created and established a service that runs until the encryption process is complete.2
enterprise T1486 Data Encrypted for Impact WastedLocker can encrypt data and leave a ransom note.123
enterprise T1140 Deobfuscate/Decode Files or Information WastedLocker‘s custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.2
enterprise T1083 File and Directory Discovery WastedLocker can enumerate files and directories just prior to encryption.2
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification WastedLocker has a command to take ownership of a file and reset the ACL permissions using the takeown.exe /F filepath command.2
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories WastedLocker has copied a random file from the Windows System32 folder to the %APPDATA% location under a different hidden filename.2
enterprise T1564.004 NTFS File Attributes WastedLocker has the ability to save and execute files as an alternate data stream (ADS).3
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking WastedLocker has performed DLL hijacking before execution.2
enterprise T1490 Inhibit System Recovery WastedLocker can delete shadow volumes.123
enterprise T1112 Modify Registry WastedLocker can modify registry values within the Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry key.2
enterprise T1106 Native API WastedLocker‘s custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.2
enterprise T1135 Network Share Discovery WastedLocker can identify network adjacent and accessible drives.3
enterprise T1027 Obfuscated Files or Information The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.2
enterprise T1027.001 Binary Padding WastedLocker contains junk code to increase its entropy and hide the actual code.2
enterprise T1120 Peripheral Device Discovery WastedLocker can enumerate removable drives prior to the encryption process.3
enterprise T1012 Query Registry WastedLocker checks for specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution WastedLocker can execute itself as a service.2
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.2

Groups That Use This Software

ID Name References
G0119 Indrik Spider 24

References