Published on August 18, 2020
By Oleg Kolesnikov, Securonix Threat Research Team
Created On: July 28, 2020
Last Updated: August 18, 2020
Figure 1: Victim’s Systems Targeted by WastedLocker Unavailable (July 2020)
The Securonix Threat Research Team (STR) is actively investigating the details of the critical targeted Wastedlocker ransomware attacks that reportedly already exploited more than 31 companies, with 8 of the victims being Fortune 500 companies , to help our customers detect, mitigate, and respond to such attacks.
Here are some of the key technical details and our recommendations on possible Securonix predictive indicators/security analytics that can be used to detect the current and potentially future attack variants (these indicators may be updated as we receive more information.)
Figure 2: WastedLocker/EvilCorp Attack in Progress - Targeting a Victim Company in a Recent High-Profile Attack
Here are the key details regarding the impact of the high-profile WastedLocker ransomware attacks/EvilCorp malicious cyber threat actor(s)(MTA) involved:
- The WastedLocker ransomware is a relatively new malicious payload used by the high-profile EvilCorp MTA, which previously used the Dridex trojan to deploy BitPaymer ransomware in attacks targeting government organizations and enterprises in the United States and Europe. (See Figure 1)
- This MTA currently focuses on targeted "big game hunting" (BGH) ransomware attacks with multiple industry victims in recent months, with Garmin as one of the latest high-profile victims attacked (officially confirmed by Garmin on July 27). (See Figure 2)
- The most recent ransom amount demanded was US$10M and appears to be based on the victim’s financial data. Based on the available details, the ransom was likely paid . (See Figure 3)
- To date, this MTA appears to have been using a mono-extortion scheme (data encryption only, with no or minimal data leakage) vs. other MTAs who use the threat of leaking a victim’s data as part of a double-extortion scheme (such as, e.g. Netwalker, Maze, and others). However, based on our monitoring of this MTAs capabilities, this can likely be easily added in future attacks.
Figure 3: Victim Systems’ Recovery Using Custom Utility & Decryption Key After Reported Ransom Payment to WastedLocker/EvilCorp 
Some Examples of Observed ATT&CK Techniques
- T1082 - System Information Discovery
- T1018 - Remote System Discovery
- T1003 - OS Credential Dumping
- T1089 - Disabling Security Tools
- T1127 - Trusted Developer Utilities Proxy Execution
- T1113 - Screen Capture
- T1189 - Drive-by Compromise
- T1500 - Compile After Delivery
- T1035 - Service Execution
- T1098 - Account Manipulation
- T1086 - PowerShell
- T1214 - Credentials in Registry
- T1047 - Windows Management Instrumentation
- T1057 - Process Discovery
- T1070 - Indicator Removal on Host
- T1077 - Windows Admin Shares
- T1087 - Account Discovery
- T1564 - Hidden Files and Directories/NTFS File Attributes
- T1569 - Service Execution
- T1548 - BypassUAC
- T1106 - Native API
- T1490 - Inhibit System Recovery
- T1059 - Command and Scripting
- T1222 - Permissions Modification
- T1486 - Data Encrypted for Impact
Some Examples of Observed Attack Artifacts/Payloads
In addition to the relatively wide range of technical attack capabilities/techniques employed by MTA, there are also a large number of attack/artifact variants associated with the EvilCorp MTA attacks, and new variants appear regularly, particularly because of the focus on defense evasion. Some of the artifacts observed to date include:
and many others.
(A comprehensive list of static artifacts, including [imp]hashes, can be found in other researchers’ work [3, 4, 5], and is out of scope for this advisory.)
Figure 4: Example of WastedLocker/EvilCorp Malicious Activity (New Firewall Rule Creation) in Logs
WastedLocker/EvilCorp - Some Common Attack Progression/Behaviors Highlights
Following the initial compromise, one of the early steps commonly taken by the malicious operators observed is to perform internal discovery and disable security/AV vendor tools such as Cisco AMP and/or Windows Defender (ATT&CK T1089) . Often this involves variations of the following commands:
- reg save HKLM\SAM C:\programdata\SamBkup.hiv
- reg save HKLM\SYSTEM C:\programdata\FileName.hiv
- C:\Windows\System32\cmd.exe /C whoami /all
- C:\Windows\system32\taskkill.exe /F /IM sfc.exe
- :\Program Files\Windows Defender\MpCmdRun.exe -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
- C:\Windows\system32\cmd.exe /C C:\Program Files\Cisco\AMP\7.2.7\sfc.exe -stop
- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.5323.2000.105\Bin\Smc.exe -disable -sep
- C:\Windows\system32\taskkill.exe /F /IM sfc.exe
Figure 5: Example of WastedLocker/EvilCorp Malicious Activity (Lateral Movement Using WMI/Powershell) in Logs
Following the initial compromise and the internal discovery/disabling security tools steps mentioned above, the typical attack progression involves further defense evasion (for instance, using NTFS alternate data streams e.g. during threat hunting, one might see a 4688 event with a NewProcessName process named as - *\\AppData\\Roaming\\Wcncsvc:bin), UACBypass, firewall compromise/rule changes (see Figure 4), compiling targeted payloads on-the-fly using LOLBINS/cvc/cvtres, evasion using .NET injection, lateral movement ranging from trivial PSEXEC to basic staging via WMI/powershell (see Figure 5).
The final stage often involves disabling shadow copies and stopping some of the critical/backup/SQL services, e.g.
- stop NetBackup BMR MTFTP Service /y
- stop BMR Boot Service /y
- config SstpSvc start= disabled
- config SQLTELEMETRY start= disabled
- config SQLWriter start= disabled
and deploying the malicious ransomware implant (usually persistent as a service/registry), performing some basic automated evasion/file attribute resets and encryption of the sensitive data. The resets are performed by the malicious ransomware implant service, e.g. using commands such as:
- cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Wcncsvc.exe\" & del \"C:\\Windows\\SysWOW64\\Wcncsvc.exe\""
- takeown, icacls.exe
The encryption process itself involves behaviors that aim at evading anti-ransomware solutions and optimizing performance, including using memory-mapped I/O as part of file encryption . However, in our experience, the threat hunting/log detection artifacts associated with the ransomware encryption process and the associated file writes are typically still present and usually are detectable in the logs.
Detection - Sample Spotter Search Queries
Please find below some examples of the trivial Spotter queries to assist with initial threat hunting/identifying some possible attack behaviors based on the details above.
Note: Because of the rapidly changing attack landscape, the recommendation is not to rely on static IOAs/queries and to implement the use cases/predictive indicators
for the best possible protection (see next section).
EDR Process Monitoring
# Initial infiltration via fake update (many other vectors possible)
resourcegroupname = "Microsoft Sysmon" and deviceaction = "Process Create" and resourcecustomfield1 contains .js and resourcecustomfield1 contains wscript and resourcecustomfield1 contains "Chrome.Update"
# FW hole punching
resourcegroupname = "Microsoft Sysmon" and deviceaction = "Process Create" and resourcecustomfield1 contains “dir=out action=allow protocol=any” and resourcecustomfield1 contains "firewall add rule"
# AV tool disabling
resourcegroupname = "Microsoft Sysmon" and deviceaction = "Process Create" and resourcecustomfield1 contains “Set-MpPreference -DisableBehaviorMonitoring”
# NTFS stream evasion
resourcegroupname = "windows" and baseeventid = 4688 and sourceprocessname contains ":bin"
# Shadow copy disabling
resourcegroupname = "Microsoft Sysmon" and deviceaction = "Process Create" and resourcecustomfield1 contains "Delete Shadows /all /quiet"
# AV tool disabling
resourcegroupname = "Microsoft Sysmon" and deviceaction = "Process Create" and resourcecustomfield1 contains "WinDefend start= disabled”
# Locked file creation
resourcegroupname = "Microsoft Sysmon" and and deviceaction contains "File Create" and resourcecustomfield5 contains wasted | stats count by sourcehostname
ETDR Process Monitoring (Process Hash Conditions)
(rg_category contains "Endpoint" OR rg_category contains "ips" OR rg_category contains "ids") AND
Mitigation and Prevention - Securonix Recommendations
Here are some of the Securonix recommendations to help customers prevent and/or mitigate the attack:
- Review your backup version retention policies and make sure that your backups are stored in a location that cannot be accessed/encrypted by operator placed targeted ransomware, (e.g. consider remote write-only backup locations).
- Implement an end user security training program, since end users are ransomware targets. It is important for them to be aware of the threat of ransomware and how it occurs.
- Patch operating systems, software, and firmware on your infrastructure. Consider leveraging a centralized patch management system.
- Maintain regular air-gapped backups of critical corporate/infrastructure data.
- Implement security monitoring, particularly for high-value targets (HVT) in your environments, to detect possible malicious ransomware operator placement activities earlier.
- For your Windows systems, consider enabling and auditing controlled folder access/turn on the protected folders feature – see https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard
Figure 6: Example of the Malicious Threat Detection in Securonix Labs
Detection Using Security Analytics – Some Examples of Securonix Predictive Indicators
Here are some high-level examples of some of the relevant Securonix behavior analytics/predictive indicators to increase the chances of early detection of the malicious activity associated with the WastedLocker/EvilCorp MTA, and potentially other future variants of attacks:
- Possible Initial Infiltration Via Fake Chrome Update
- Rare Image For CLR Executable Load Potential Donut CLR Injection
- Potential PSEXEC Activity
- Rare WMI Exec Process Potential Lateral Movement
- NTFS File Attribute Hidden Artifact Executable Creation
- Rare Service Creation For User Analytic
- Potential Log Clearing
- Potential Defense Evasion Interference/Disabling Antivirus Tools
- Executable File/Script Creation Analytic
and a number of others, including AVI-WDF2-RUN, EDR-SYM9-BPI, EDR-SYM90-ERI, EDR-SYM91-ERI, WEL-SVC1-ERI, EDR-SYM18-RUN, EDR-SYM67-RUN, WEL-SHR6-RUN, EDR-SYM93-RUN, WEL-OTH1-RUN, WEL-PSH12-RUN, et al.
Some examples of successful detection of these real-world attacks in practice in Securonix Labs are shown in Figure 6.