Researchers have discovered a new ransomware, WastedLocker, that they are attributing with “high confidence” to the Evil Corp cybercriminal gang, two members of which the U.S. Justice Department charged last December with federal hacking and bank fraud crimes.
Evil Corp is historically associated with the banking credentials-stealing Zeus trojan and Bugat (aka Dridex) malware, as well as Locky and more recently BitPaymer ransomware. However, since mid-March there has been a marked decrease in BitPaymer attack activity, according to NCC Group and its Fox-IT InTELL division in a company blog post on Tuesday. It’s likely that during this quiet period, the adversaries were busy developing the new WastedLocker ransomware program, which first debuted in May 2020.
Additionally, the cybercriminals have apparently changed up some of its TTPs in 2020. “We believe those changes were ultimately caused by the unsealing of [DOJ] indictments against [alleged Evil Corp members] Igor Olegovich Turashev and Maksim Viktorovich Yakubets, and the financial sanctions against Evil Corp in December 2019,” the NCC Group blog post states. “These legal events set in motion a chain of events to disconnect the association of the current Evil Corp group and these two specific indicted individuals and the historic actions of Evil Corp.”
Among the key changes is the group’s recent abuse of the Cobalt Strike threat emulation software and its Beacon implant for lateral movement activity, rather than using the Empire PowerShell framework. NCC Group says the actors have been embedding the Cobalt Strike payload in two types of PowerShell scripts and in certain cases is delivering it via a custom loader that appears to have been modified to detect Crowdstrike’s cybersecurity endpoint solution.
Another deviation from the group’s usual m.o. is the use of a variant the banking trojan Gozi, aka Ursnif or ISFB, as a replacement for a Dridex botnet that’s historically been installed as a persistent component on victimized networks.
The new WastedLocker ransomware targets removable, fixed, shared and remote drives for encryption, ignoring files smaller than 10 bytes as well as any blacklisted directories or extensions.
“Each file is encrypted using the AES algorithm with a newly generated AES key and IV (256-bit in CBC mode) for each file,” the blog post says. “The AES key and IV are encrypted with an embedded public RSA key (4096 bits). The RSA encrypted output of key material is converted to base64 and then stored into the ransom note.” This note is created every single time a file is encrypted.
Encrypted files’ extensions are based on the victim organization’s name plus the prefix “wasted.”
NCC Group notes that WastedLocker is protected with a custom crypter, CryptOne, that features basic code used by other malwares as well.
Another notable attribute of WastedLocker: If it’s not executed with admin rights, or if the infected host operates on Windows Vista or later, the malware will attempt to elevate privileges using a UAC bypass technique. Additionally, it deletes shadow copies in order to thwart attempts at restoring files.
NCC Group researchers note that the Evil Corp actors are still relying on one of their tried-and-true distribution methods to infect victims with Cobalt Strike and WastedLocker: They are using the SocGholish malicious framework to trick users into thinking they are downloading browser and Flash updates, when they are actually installing the malware.