In a recent analysis of the WastedLocker ransomware, Sophos detailed some of the methods used by the ransomware family to evade typical behavioral detection. By now, nearly everyone is familiar with how ransomware operates. Once a victim is infected, data is potentially stolen, backups are deleted, and the ransomware goes to work encrypting files. During the encryption process, most ransomware opens and encrypts the files directly. This is also how most security solutions that monitor for file events detect it. To get around this, WastedLocker is mapping files into memory before encryption. Windows’ Memory Manager keeps track of memory being modified and will write it all back to disk after enough modifications. Because of this, security solutions may see a trusted system process and ignore the encrypted files being written back to the disk.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security