One of the most dangerous families of ransomware to emerge this year is finding success because it’s been built to avoid anti-ransomware tools and other cybersecurity software according to security company researchers who have analysed its workings.
WastedLocker ransomware appeared in May and has already developed notoriety as a potent malware threat to organisations by encrypting networks and demanding a ransom of millions of dollars in bitcoin in exchange for the decryption key.
One of WastedLocker’s most recent high profile victims has been reported to be wearable tech and smartwatch manufacturer Garmin.
WastedLocker is thought to be the work of Evil Corp, a Russian hacking crew and one of the world’s most prolific cyber criminal groups. One of the reasons they’re so successful is because they’re always developing and adapting their tools.
Researchers at Sophos have delved into the inner-workings of WastedLocker and found that the malware goes the extra mile to help avoid detection.
The author of the WastedLocker ransomware constructed a sequence of manoeuvres meant to confuse and evade behavior-based anti-ransomware solutions, according to the report.
“It’s really interesting what it’s doing with mapping in Windows to bypass anti-ransomware tools,” said Chester Wisniewski, principal research scientist at Sophos. “That’s really sophisticated stuff, you’re digging way down into the things that only the people who wrote the internals of Windows should have a concept of, how the mechanisms might work and how they can confuse security tools and anti-ransomware detection,” he said.
Many malware families use some code obfuscation techniques to hide malicious intent and avoid detection, but WastedLocker adds additional layers to this by interacting with Windows API functions from within the memory itself, where it’s harder to be detected by security tools based on behavioural analysis.
WastedLocker uses a trick to make it harder for behavior based anti-ransomware solutions to keep track of what is going on, by using memory-mapped I/O to encrypt a file. This technique allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O, which can shield it from behavior monitoring software.
Then, by the time the infection is detected it’s too late – often the first sign is when the attackers have pulled the trigger on the ransomware attack and victims find themselves faced with a ransom note demanding millions of dollars.
The attacks are planned carefully, with the cyber criminals very hands-on throughout the entire process, which for WastedLocker campaign often begin by abusing stolen login credentials. If the accounts seized by the crooks provide administrator privileges then the attackers can ultimately do what they want.
“If they get admin credentials, they can VPN in, they can disable the security tools. If there’s no multi-factor they’re just going to login to the RDP, VPN and admin tools,” said Wisniewski.
He added that the coronavirus pandemic and the resultant rise in remote working have created optimal conditions for cyber criminals to conduct campaigns.
“Because of COVID-19, I think they’re having some more success with that. Things which might have only been internally facing are now externally facing and that’s another indicator that companies might be compromised,” he explained.
Organisations can go a long way to protecting themselves from falling victim to WastedLocker and other ransomware attacks by employing simple security procedures like not using default passwords for remote login portals and using multi-factor authentication to provide an extra barrier to hackers attempting to gain control of of accounts and systems.
Ensuring that security patches are applied as soon as possible can also help stop organisations falling victim to malware attacks, many of which use long-known vulnerabilities to gain a foothold into networks.
By applying these security practices, organisations can help stay protected against WastedLocker and other threats – but until these security protocols are applied across the board, ransomware will remain a problem.
“The reality is, ransomware is not going away,” said Wisniewski.
READ MORE ON CYBERSECURITY
- Ransomware: How clicking on one email left a whole business in big trouble
- Honeypot reveals tactics used by cybercriminals to deploy ransomware TechRepublic
- Ransomware: These free decryption tools have now saved victims over $600m
- Garmin apps, website start to return after cyberattack CNET
- 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world