WastedLocker Ransomware Now Hitting Home-Office Employees

A new malware scam has come to the forefront, this time tailored to strike home-office workers in particular. Not surprising if you consider that almost 2/3 of all U.S. employees are currently stuck at home doing a distant job due to the ongoing Covid-19 pandemic. Now, millions of home employees are facing a nasty ransomware threat called WastedLocker. Associated with the Evil Corp cybergang, Wasted Locker has reportedly hit dozens of businesses to date and is now hunting down VPN-connected home PC users.

Multi-Level Infection Through a JavaScript Framework

To plant a WastedLocker ransomware infection onto a targeted device, the actors in charge need to redirect Web users to a compromised website containing the so-called SocGholish — a JavaScript framework chock-full of malicious code — usually disguised as a fake software update in a .zip archive. Once run, the SocGholish JavaScript launches another JS component through the wscript.exe Script Host to gather details about the PC. Then, it deploys PowerShell to download the Cobalt Strike tool along with a .NET injector. The former provides unauthorized system access. The latter is capable of executing malicious payloads straight into system memory, thus evading endpoint protection. Both tools ultimately deliver the Cobalt Strike Beacon payload. The Beacon serves as the primary operating panel for any further code injections, command executions, and privilege escalations.

This Week In Malware Episode 13 Part 1: Evil Corp Hackers Blocked from Deploying WastedLocker Ransomware

Before they trigger the actual WastedLocker ransomware infection, the crooks tamper with Windows Defender’s settings to prevent it from running real-time scans and monitoring. Next, they deploy the PsExec command-line tool to execute the very WastedLocker payload.

Encryption

Once running, WastedLocker starts encrypting the victim’s data. It also removes any shadow volume copies present on the system. In the end, the attack cripples the user's network and causes severe impediments to their workflow. While the exact amount of the demanded ransom remains unknown, the crooks at Evil Corp have allegedly earned millions of dollars. They did so by concentrating their efforts to compromise websites belonging to major corporations across the entire business spectrum in the U.S. So far, the most frequently targeted companies come from the manufacturing industry, followed by the IT-sphere, and Media and Telecommunications.