Morphisec Cybersecurity Blog

New WastedLocker Ransomware Causes Enterprise Havoc

Written by Michael Gorelik | August 7, 2020 at 1:00 PM

Garmin has confirmed that the recent outage its users experienced was indeed the result of a successful ransomware attack. However, the extent of the damage done is still unclear. The attack, which compromised Garmin’s servers for five days, impacted millions of users globally and will likely end up costing Garmin millions of dollars in lost productivity and reputation alone. While Garmin says that no customer data was leaked, Garmin's call centers, web site, and cloud-based services such as Garmin Connect and FlyGarmin (a commercial aviation navigation service) were either taken offline or negatively impacted as a result of the attack.

According to reliable sources, the Garmin attack appears to have been the result of a successful "WastedLocker" ransomware infiltration by the notorious Russian cybercrime group known as "Evil Corp." The group’s apparent success in this recent attack highlights the danger of organized threat actors to companies of all sizes. It also provides a lesson for companies seeking to protect their corporate networks against similar threats. The first step towards improving your own network security is understanding how Garmin fell victim to this attack.

Exploring the WastedLocker Cyber Attack Chain

The type of attack chain that Garmin witnessed is likely no different from those experienced by other victims of Evil Corp malware breaches. Like their previous Bitpaymer attacks, Evil Corp spread WastedLocker Ransomware payloads by masquerading them as software or system updates. These malicious updates are delivered via a Javascript-based framework known as SocGholish, which, running under the privileges of a browser user, lures targets into downloading fake updates to applications such as Chrome and Firefox web browsers. Evil Corp has previously used a similar framework to trick targeted users into downloading Dridex malware, Cobalt Strike beacons, Netwire, and more.

While attacks conducted by Evil Corp are often tailored explicitly towards targeted organizations, they tend to follow a similar attack chain:

  1. Evil Corp leverages compromised legitimate websites by inserting malicious code within them. These sites then prompt users to agree to fake software update downloads as part of the SocGholish framework. Alternatively, some targets may be infected through an existing Dridex infection, persistent in their network from earlier attacks.
  2. After it's downloaded, the malicious update executes a custom CobaltStrike loader.
  3. EvilCorp then uses CobaltStrike to gain additional information about the compromised host. It also allows the WastedLocker ransomware to move laterally within the targeted organization to infect other systems.
  4. Due to its affinity for running with administrative privileges, WastedLocker uses a UAC bypass to elevate the user's privilege if it initially runs with non-admin privileges.
  5. Following a successful elevation of privileges, the WastedLocker ransomware will execute either as a service from System32 or as an Alternate Data Stream attached to a legitimate Windows executable.

After its execution, WastedLocker ransomware will attempt to encrypt all the files it can access within the infected target network while deleting shadow files and backups. Ignoring files with a size of fewer than 10 bytes, Wastedlocker encrypts victims' files in batches of 64mb with the AES algorithm. The encrypted filenames are also renamed to include the victim's name alongside the string "wasted," i.e., file.doc.companynamewasted. The service also creates a separate ransom note which appears alongside each file, i.e., file.doc.companynamewasted_info.

After this process, the encryption service itself is deleted and a log file of encrypted files created. In return for unlocking the files, Evil Corp demands, through a specified email address, a ransom payable in Bitcoin. Most Evil Corp ransom demands range between $500,000 and $10 million.

Low Value, High Impact Endpoint Targeting

The pathways that Evil Corp targets might not be immediately recognizable as significant assets. They often look for higher-value targets like file servers and database services alongside lower-value targets like virtual machines and physical workstations that could turn into high-value targets if used for lateral movement.

Evil Corp gains a foothold in these vulnerable endpoints by exploiting a critical weakness in many companies' cybersecurity posture — memory. Despite breached companies possessing EDR and AV security tools, EvilCorp has consistently demonstrated a capacity to bypass many advanced endpoint protection and antivirus methods with its full attack chain.

Protecting Against Targeted Ransomware

For organizations faced with highly sophisticated and targeted attacks from well-resourced cybercrime gangs like Evil Corp, standard AV and EDR platforms are of little use. While siloed backups can provide mitigation in case of a successful attack, targeted ransomware like WastedLocker usually aim to knock out backups as a key attack priority.

However, it’s still possible to protect corporate networks from these kinds of sophisticated attacks. A proactive cyber defense strategy prevents WastedLocker and other advanced ransomware attacks from progressing by preemptively detecting it and stopping its payload being delivered. With a dedicated memory defense layer, attacks never have a chance to infiltrate a targeted network in the first place. The Proactive Endpoint Protection solutions offered by Morphicsec protect corporate networks against zero-day and unknown attacks without needing any rules, signatures, or any other type of prior knowledge.