Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

WastedLocker

WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020)
ID: S0612
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 20 May 2021
Last Modified: 25 Mar 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.(Citation: NCC Group WastedLocker June 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

WastedLocker has used cmd to execute commands on the system.(Citation: NCC Group WastedLocker June 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

WastedLocker created and established a service that runs until the encryption process is complete.(Citation: NCC Group WastedLocker June 2020)

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

WastedLocker has a command to take ownership of a file and reset the ACL permissions using the takeown.exe /F filepath command.(Citation: NCC Group WastedLocker June 2020)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

WastedLocker has copied a random file from the Windows System32 folder to the %APPDATA% location under a different hidden filename.(Citation: NCC Group WastedLocker June 2020)

.004 Hide Artifacts: NTFS File Attributes

WastedLocker has the ability to save and execute files as an alternate data stream (ADS).(Citation: Sentinel Labs WastedLocker July 2020)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

WastedLocker has performed DLL hijacking before execution.(Citation: NCC Group WastedLocker June 2020)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

WastedLocker contains junk code to increase its entropy and hide the actual code.(Citation: NCC Group WastedLocker June 2020)

.013 Obfuscated Files or Information: Encrypted/Encoded File

The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.(Citation: NCC Group WastedLocker June 2020)

Enterprise T1569 .002 System Services: Service Execution

WastedLocker can execute itself as a service.(Citation: NCC Group WastedLocker June 2020)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.(Citation: NCC Group WastedLocker June 2020)

Groups That Use This Software

ID Name References
G0119 Indrik Spider

(Citation: NCC Group WastedLocker June 2020) (Citation: Microsoft Ransomware as a Service) (Citation: SentinelOne SocGholish Infrastructure November 2022) (Citation: Crowdstrike EvilCorp March 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.