Dridex Gang Returns With WastedLocker Ransomware

The cybercriminal ring known by the aliases Dridex Gang and Evil Corp is making a return in mid-2020. The Eastern European malware gang rose to prominence a few years ago, launching the Cridex trojan. The first evolution of that malware was the infamous Dridex banking trojan, which also gave the group one of its names. Dridex in turn later evolved into a fully-featured malware multi-tool that was used in a number of attacks.

After two of the Dridex gang members were charged by the US Department of Justice in late 2019, the group dropped off the radar for a long while. For an organization as prolific and active as Evil Corp, who also ran one of the largest botnets and participated in spreading the infamous Locky malware, it was clear that it was a matter of time before the criminals would be back in the saddle.

After a brief blip of low-profile activity in early 2020, the gang was dormant for a few more months. However, now they are back and sporting a completely new strain of ransomware.

In mid-2020 the Dridex gang came back with the so-called WastedLocker ransomware. The name was chosen by security experts as the malware adds the .wasted extension to encrypted files. Code analysis revealed that there is very little reused or similar code from existing strains contained in WastedLocker, but there are some obvious similarities to existing ransomwares in its ransom note.

The new WastedLocker has been used exclusively against US companies and the ransom demands are massive, reaching sums north of $10 million. Researchers also noted a curious fact about WastedLocker – it had no data theft capabilities. The ability to scrape confidential information from a victim’s network has been present in a considerable portion of ransomware strains over the last couple of years. However, WastedLocker is missing such a module, which means its authors either don’t want to go through the extra step of threatening to sell it online or are simply so confident in the capabilities of their malware, they rely solely on ransom payments going through.

Whether Evil Corp is coming back in full force or just testing the waters with this new ransomware remains to be seen.