WastedLocker

Malware updated 15 days ago (2024-11-29T14:26:55.296Z)
Download STIX
Preview STIX
WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utilizes a Delphi-based crypter known as CryptOne, which has been in use since 2015 and is offered as a Crypter-As-A-Service. CryptOne has been associated with various malware families over the years, including Gozi, Dridex, NetWalker, and, most notably, WastedLocker. The development of WastedLocker came about after a significant shift within the Evil Corp Group. Following the departure of a key member, Turashev, the remaining group, led by Yakubets and Ryzhenkov, began developing this new ransomware variant. The National Crime Agency (NCA) identified Ryzhenkov as a crucial figure in the development of Evil Corp's post-sanctions WastedLocker ransomware, a Ransomware-as-a-Service (RaaS) offering. Despite sanctions and changes in tactics, some members continued to develop further malware and ransomware strains, including WastedLocker, Hades, PhoenixLocker, PayloadBIN, and Macaw. WastedLocker has been used in several high-profile attacks, including those targeting major US companies and newspaper websites operated by a US media company. Attackers have also used a tool called SocGholish as a primer for ransomware, including WastedLocker. Notably, WastedLocker includes a list of directories and extensions to exclude from the encryption process, rather than targeting specific extensions. Additionally, a sample crypted by the CryptOne crypter as used by WastedLocker has been found capable of detecting and disabling a list of security software, demonstrating the malware's advanced capabilities.
Description last updated: 2024-10-17T12:33:02.988Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Hades is a possible alias for WastedLocker. Hades is a significant threat actor that has been active in the cybersecurity landscape, particularly associated with ransomware attacks. The group uses distinctive tactics and infrastructure, as noted by CTU researchers in June 2021. Hades ransomware operators have been observed using Advanced Port
3
Payloadbin is a possible alias for WastedLocker. PayloadBIN is a threat actor associated with the infamous cybercrime group, Evil Corp. This association emerged in 2021 when Babuk ransomware operations rebranded as PayloadBIN in an apparent effort to evade sanctions imposed by the U.S. government in December 2019. The group has been responsible fo
2
Macaw is a possible alias for WastedLocker.
2
Cryptone is a possible alias for WastedLocker. CryptOne is a Delphi-based crypter malware, dating back to 2015, that has been frequently used by various malicious software families such as Gozi, Dridex, NetWalker, and WastedLocker. This crypter is reportedly offered as a Crypter-As-A-Service and it's capable of detecting and disabling a list of
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Crypter
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Socgholish Malware is associated with WastedLocker. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, MicrosofUnspecified
3
The Gozi Malware is associated with WastedLocker. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a cUnspecified
2
The Lockbit Malware is associated with WastedLocker. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Evil Corp Threat Actor is associated with WastedLocker. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybeUnspecified
3
Source Document References
Information about the WastedLocker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more