Rewterz Threat Alert – Lockscreen Ransomware Phishing Leads To Google Play Card Scam
July 27, 2020Rewterz Threat Alert – List of Active Phishing Sites
July 27, 2020Rewterz Threat Alert – Lockscreen Ransomware Phishing Leads To Google Play Card Scam
July 27, 2020Rewterz Threat Alert – List of Active Phishing Sites
July 27, 2020Severity
High
Analysis Summary
WastedLocker is a relatively new ransomware family which has been tracked in the wild since April/May 2020. WastedLocker has an affinity for running with administrative privileges. If the payload is executed with non-administrative permissions, it will attempt to elevate privileges via UAC bypas (Mocking Trusted Directories). WastedLocker has an affinity for running with administrative privileges. Once elevated, the ransomware will write a copy of a random file from System32 to the %APPDATA% directory. The newly copied file will have a random and hidden filename. This process allows for the ransomware to copy itself into the file by way of an alternate data stream (ADS).
Impact
- File encryption
Indicators of Compromise
MD5
- 6b20ef8fb494cc6e455220356de298d0
- 0ed2ca539a01cdb86c88a9a1604b2005
- 3208a14c9bad334e331febe00f1e9734
- edbf07eaca4fff5f2d3f045567a9dc6f
- bceb4f44d73f1a784e0af50e233eb1b4
- ecb00e9a61f99a7d4c90723294986bbc
- f67ea8e471e827e4b7b65b65647d1d46
- 2000de399f4c0ad50a26780700ed6cac
- 13e623cdfb75d99ea7e04c6157ca8ae6
- 572fea5f025df78f2d316216fbeee52e
SHA-256
- aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
- e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
- 85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb
- 9056ec1ee8d1b0124110e9798700e473fb7c31bc0656d9fc83ed0ac241746064
- 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
- ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
- 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
- 97a1e14988672f7381d54e70785994ed45c2efe3da37e07be251a627f25078a7
- 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
- 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
- bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
SHA1
- 91b2bf44b1f9282c09f07f16631deaa3ad9d956d
- 70c0d6b0a8485df01ed893a7919009f099591083
- 763d356d30e81d1cd15f6bc6a31f96181edb0b8f
- b99090009cf758fa7551b197990494768cd58687
- 9292fa66c917bfa47e8012d302a69bec48e9b98c
- be59c867da75e2a66b8c2519e950254f817cd4ad
- 809fbd450e1a484a5af4ec05c345b2a7072723e7
- e13f75f25f5830008a4830a75c8ccacb22cebe7b
- 4fed7eae00bfa21938e49f33b7c6794fd7d0750c
- f25f0b369a355f30f5e11ac11a7f644bcfefd963
- e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.