In a recent analysis of the WastedLocker ransomware, Sophos detailed some of the methods used by the ransomware family to evade typical behavioral detection. By now, nearly everyone is familiar with how ransomware operates. Once a victim is infected, data is potentially stolen, backups are deleted, and the ransomware goes to work encrypting files. During the encryption process, most ransomware opens and encrypts the files directly. This is also how most security solutions that monitor for file events detect it. To get around this, WastedLocker is mapping files into memory before encryption. Windows’ Memory Manager keeps track of memory being modified and will write it all back to disk after enough modifications. Because of this, security solutions may see a trusted system process and ignore the encrypted files being written back to the disk.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.