WastedLocker

Malware updated 3 months ago (2024-11-29T14:26:55.296Z)

Download STIX

Preview STIX

WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utilizes a Delphi-based crypter known as CryptOne, which has been in use since 2015 and is offered as a Crypter-As-A-Service. CryptOne has been associated with various malware families over the years, including Gozi, Dridex, NetWalker, and, most notably, WastedLocker. The development of WastedLocker came about after a significant shift within the Evil Corp Group. Following the departure of a key member, Turashev, the remaining group, led by Yakubets and Ryzhenkov, began developing this new ransomware variant. The National Crime Agency (NCA) identified Ryzhenkov as a crucial figure in the development of Evil Corp's post-sanctions WastedLocker ransomware, a Ransomware-as-a-Service (RaaS) offering. Despite sanctions and changes in tactics, some members continued to develop further malware and ransomware strains, including WastedLocker, Hades, PhoenixLocker, PayloadBIN, and Macaw. WastedLocker has been used in several high-profile attacks, including those targeting major US companies and newspaper websites operated by a US media company. Attackers have also used a tool called SocGholish as a primer for ransomware, including WastedLocker. Notably, WastedLocker includes a list of directories and extensions to exclude from the encryption process, rather than targeting specific extensions. Additionally, a sample crypted by the CryptOne crypter as used by WastedLocker has been found capable of detecting and disabling a list of security software, demonstrating the malware's advanced capabilities.

Description last updated: 2024-10-17T12:33:02.988Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Hades is a possible alias for WastedLocker. Hades is a significant threat actor that has been active in the cybersecurity landscape, particularly associated with ransomware attacks. The group uses distinctive tactics and infrastructure, as noted by CTU researchers in June 2021. Hades ransomware operators have been observed using Advanced Port	3
Payloadbin is a possible alias for WastedLocker. PayloadBIN is a threat actor associated with the infamous cybercrime group, Evil Corp. This association emerged in 2021 when Babuk ransomware operations rebranded as PayloadBIN in an apparent effort to evade sanctions imposed by the U.S. government in December 2019. The group has been responsible fo	2
Macaw is a possible alias for WastedLocker.	2
Cryptone is a possible alias for WastedLocker. CryptOne is a Delphi-based crypter malware, dating back to 2015, that has been frequently used by various malicious software families such as Gozi, Dridex, NetWalker, and WastedLocker. This crypter is reportedly offered as a Crypter-As-A-Service and it's capable of detecting and disabling a list of	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Crypter

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with WastedLocker. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	3
The Socgholish Malware is associated with WastedLocker. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof	Unspecified	3
The Netwalker Malware is associated with WastedLocker. NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne	Unspecified	2
The Gozi Malware is associated with WastedLocker. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Evil Corp Threat Actor is associated with WastedLocker. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybe	Unspecified	3
The Indrik Spider Threat Actor is associated with WastedLocker. Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Ind	Unspecified	2

Source Document References

Information about the WastedLocker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CrowdStrike	a month ago	CrowdStrike Falcon Earns Perfect Score in SE Labs’ Ransomware Evaluation
BankInfoSecurity	5 months ago	Cybercrime is Still Evil Incorporated, But Disruptions Help
DARKReading	5 months ago	LockBit Associates Arrested, Evil Corp Bigwig Outed
InfoSecurity-magazine	5 months ago	Evil Corp's LockBit Ties Exposed in Latest Phase of Operation Cronos
BankInfoSecurity	5 months ago	LockBit and Evil Corp Targeted In Anti-Ransomware Crackdown
Quick Heal Technologies Ltd.	7 months ago	Mobile Ransomware: How to Keep Them at Bay!
CERT-EU	a year ago	Watch Out: Attackers Are Hiding Malware in 'Browser Updates'
BankInfoSecurity	a year ago	Fake Browser Updates Used to Deploy Malware
SecurityIntelligence.com	2 years ago	The Trickbot/Conti Crypters: Where Are They Now?
MITRE	2 years ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
MITRE	2 years ago	WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations
MITRE	2 years ago	WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
MITRE	2 years ago	WastedLocker Ransomware: Abusing ADS and NTFS File Attributes
MITRE	2 years ago	Stopping Serial Killer: Catching the Next Strike - Check Point Research