Ransomware is a type of malicious software designed to lock files on a computer or a system until a ransom is paid. One of the first ransomwares ever documented was the 1989 PC Cyborg—it demanded a meager $189 ransom payment to decrypt locked files.
Computer technology has gone a long way since 1989, and ransomware has evolved along with it, leading to complex and potent variants such as WastedLocker. So how does WastedLocker work? Who has been affected by it? And how can you protect your devices?
What Is WastedLocker and How Does It Work?
First discovered in early 2020, WastedLocker is operated by the notorious hacker group Evil Corp, which is also known as INDRIK SPIDER or the Dridex gang, and most likely has ties to Russian intelligence agencies.
The United States Treasury Department's Office of Foreign Assets Control issued sanctions against Evil Corp in 2019 and the Justice Department indicted its alleged leader Maksim Yakubets, which has forced the group to change tactics.
WastedLocker attacks typically begin with SocGholish, a Remote Access Trojan (RAT) that impersonates browser and Flash updates to trick the target into downloading malicious files.
Once the target downloads the fake update, WastedLocker encrypts effectively all files on their computer and appends them with "wasted," which appears to be a nod to internet memes inspired by the Grand Theft Auto video game series.
So, for example, a file originally named "muo.docx" would appear as "muo.docx.wasted" on a compromised machine.
To lock files, WastedLocker uses a combination of Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA) encryption algorithms, which makes decryption virtually impossible without Evil Corp's private key.
The AES encryption algorithm is used by financial institutions and governments—the National Security Agency (NSA), for example, uses it to protect top secret information.
Named after three Massachusetts Institute of Technology (MIT) scientists who first publicly described it in the 1970s, the RSA encryption algorithm is considerably slower than AES and mostly used to encrypt small amounts of data.
WastedLocker leaves a ransom note for each file it encrypts, and directs the victim to contact the attackers. The message typically contains a Protonmail, Eclipso, or Tutanota email address.
The ransom notes are usually customized, mention the target organization by name, and warn against contacting the authorities or sharing the contact emails with third parties.
Designed to target large companies, the malware usually demands ransom payments of up to $10 million.
WastedLocker's High-Profile Attacks
In June 2020, Symantec uncovered 31 WastedLocker attacks on US-based companies. The vast majority of targeted organizations were large household names and 11 were Fortune 500 companies.
The ransomware took aim at companies in various sectors, including manufacturing, information technology, and media and telecommunications.
Evil Corp breached the networks of targeted companies, but Symantec managed to prevent the hackers from deploying WastedLocker and holding data for ransom.
The real total number of attacks may be much higher because the ransomware was deployed through dozens of popular, legitimate news sites.
Needless to say, companies that are worth billions of dollars have top notch protection, which speaks volumes about how dangerous WastedLocker is.
That same summer, Evil Corp deployed WastedLocker against the American GPS and fitness-tracker company Garmin, which is estimated to have an annual revenue of over $4 billion.
As the Israeli cybersecurity company Votiro noted at the time, the attack crippled Garmin. It disrupted many of the company's services, and even had an effect on call centers and some production lines in Asia.
Garmin reportedly paid a $10 million ransom to regain access to its systems. It took the company days to get its services up and running, which presumably caused massive financial losses.
Though Garmin apparently thought paying the ransom was the best and most efficient way to address the situation, it's important to note that one should never trust cybercriminals—sometimes they have no incentive to provide a decryption key after receiving the ransom payment.
Generally, the best course of action in the event of a cyberattack is to immediately contact the authorities.
Besides, governments across the world impose sanctions against hacker groups, and sometimes these sanctions also apply to individuals who submit or facilitate a ransom payment, so there are also legal risks to consider.
What Is Hades Variant Ransomware?
In December 2020, security researchers spotted a new ransomware variant dubbed Hades (not to be confused with the 2016 Hades Locker, which is usually deployed through email in the form of a MS Word attachment).
An analysis from CrowdStrike found that Hades is essentially a 64-bit compiled variant of WastedLocker, but identified several key differences between these two malware threats.
For example, unlike WastedLocker, Hades doesn't leave a ransom note for each file it encrypts—it creates a single ransom note. And it stores the key information in encrypted files, as opposed to storing it in the ransom note.
The Hades variant doesn't leave contact information; it instead directs victims to a Tor site, which is customized for each target. The Tor site allows the victim to decrypt one file for free, which is evidently a way for Evil Corp to demonstrate that its decryption tools actually work.
Hades has primarily targeted large organizations based in the US with annual revenues exceeding $1 billion, and its deployment marked yet another creative attempt by Evil Corp to rebrand and evade sanctions.
How to Protect Against WastedLocker
With cyberattacks on the rise, investing in ransomware protection tools is an absolute must. It is also imperative to keep software up to date on all devices in order to prevent cybercriminals from exploiting known vulnerabilities.
Sophisticated ransomware variants such as WastedLocker and Hades have the ability to move laterally, which means they can gain access to all data on a network, including cloud storage. This is why maintaining an offline backup is the best way to protect important data from intruders.
Since employees are the most common cause of breaches, organizations should invest time and resources in educating staff on basic security practices.
Ultimately, implementing a Zero Trust security model is arguably the best way of ensuring an organization is protected against cyberattacks, including those waged by Evil Corp and other state-sponsored hacker groups.