WastedLocker
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.(Citation: NCC Group WastedLocker June 2020) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
WastedLocker has used cmd to execute commands on the system.(Citation: NCC Group WastedLocker June 2020) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
WastedLocker created and established a service that runs until the encryption process is complete.(Citation: NCC Group WastedLocker June 2020) |
| Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
WastedLocker has a command to take ownership of a file and reset the ACL permissions using the |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
WastedLocker has copied a random file from the Windows System32 folder to the |
| .004 | Hide Artifacts: NTFS File Attributes |
WastedLocker has the ability to save and execute files as an alternate data stream (ADS).(Citation: Sentinel Labs WastedLocker July 2020) |
||
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
WastedLocker has performed DLL hijacking before execution.(Citation: NCC Group WastedLocker June 2020) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
WastedLocker contains junk code to increase its entropy and hide the actual code.(Citation: NCC Group WastedLocker June 2020) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
WastedLocker can execute itself as a service.(Citation: NCC Group WastedLocker June 2020) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.(Citation: NCC Group WastedLocker June 2020) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0119 | Indrik Spider |
(Citation: NCC Group WastedLocker June 2020) (Citation: Crowdstrike EvilCorp March 2021) |
References
- Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
- Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.