WastedLocker Ransomware Attacks Against Large U.S. Corporations

A group of attackers called EvilCorp, according to the researchers of Symantec and NCC Group, have launched complex and sophisticated attacks against more than 30 large U.S. companies. Among the organizations involved are manufacturing companies, companies in the energy and chemical sectors, transport organizations and some entities in the healthcare sector.

The attack downloads a compressed version of the SocGholish framework from a compromised website into a ZIP file. This includes malicious Javascript disguised as a Chrome browser update. By running a second Javascript, attackers launch PowerShell, which launches the Cobalt Strike malware, executing later commands and infecting other system processes. Additionally, they use PsExec to stop instances of Windows Defender running on the affected systems. When this is done, the extortion virus WastedLocker is launched, which encrypts the victim’s data and deletes the backups that exist on the system (shadow volume copy).

Although WastedLocker is not explicitly ransomware attacking ICS systems, more than a third of the 31 already known victims can be attributed to various industry sectors, meaning it is clear that this group of ransomware and attackers also pose a serious threat to industrial organizations and Windows-based ICS systems.

Further details about WastedLocker can be found in the publications of Symantec and NCC Group.