WastedLocker is an advanced piece of ransomware seen in at least 31 publicly known targeted attacks operated by the Evil Corp group against US-based corporations since May 2020. The most recent attack was against Garmin
, as a consequence of which the Garmin Connect
service went down.
The ransom demands typically vary from $500,000 to over $10 million in Bitcoin. [1
] However, the most interesting trait of WastedLocker is the defence evasion and privilege escalation techniques used in these attacks such as digital signing, DLL side loading, auto elevation, and the usage of Alternate Data Streams (ADS).
As a result, the ransomware managed to install and start itself from the Windows
system folder with elevated privileges. Moreover, to encrypt files without attracting unnecessary attention from an anti-malware solution, WastedLocker leveraged the technique of mapping the user’s files into memory. When a file’s content is encrypted in the memory, it will automatically be written back to the file on a disk by the Windows Cache Manager
, not by the actual ransomware process, which is called ‘lazy writing’. This technique can make an anti-ransomware module blind.
Another surprising effect of the memory mapping technique that plays against attackers is that the modification timestamps of the encrypted files are not changed, which makes files encryption invisible not only to anti-ransomware solutions but also to some backup solutions, in particular, Google
’s Backup & Sync
. In other words, the encrypted file's content won’t be synced with Google Drive
, which prevents the original data stored in the cloud from being encrypted.
In this talk, we will take a look under the hood of WastedLocker and analyse the above-mentioned techniques with the help of the disassembler (IDA) that fans of reverse engineering might like.