Evil Corp
After restructuring due to the arrest of two of their members, the Russian cybercrime group Evil Corp has returned with new ransomware and tactics. Originally known for distributing the Dridex banking trojan, the group has returned with new ransomware called WastedLocker. According to researchers at Fox-IT, the new ransomware is being used in targeted attacks against corporations. Because the group is selective in who they target, the ransomware is customized for each victim and typically is used to hit file servers, database services, virtual machines, and cloud environments. To deliver the ransomware, the group is targeting websites to insert malicious code that displays fake update alerts. One of the payloads sent in this attack is the Cobalt Strike penetration testing framework, which the threat actors will use to gain access to the infected device. After access is gained into the network through the device, the group will further compromise the network and deploy the WastedLocker ransomware. It is important to note that the WastedLocker ransomware does not steal files before decrypting them, and there is not a free decryptor available to be used by victims. In many cases, the ransom that is asked for by the group is between 500,000 dollars and a few million dollars.
Analyst Notes
In the case of WastedLocker, the ransomware at this time does not appear to steal files from the company, which means if the company creates regular backups and does not lose those in the infection process, they should not lose any data and be able to continue to restore from those backups and continue operations. A good defense strategy is always to maintain two sets of backups and make sure one is separated from the network or kept offsite, to limit the potential of the original infection. Utilizing network monitoring such as Binary Defense’s Managed Detection and Response (MDR) in conjunction with a 24/7/365 SOC analyst monitoring could help detect this type of attack and stop it before the attackers move through a network to destroy backups and deploy the ransomware.
More information on WastedLocker can be found here: https://www.bleepingcomputer.com/news/security/new-wastedlocker-ransomware-distributed-via-fake-program-updates/
