Rewterz Threat Alert – WastedLocker Ransomware Active in the Wild

Severity

High

Analysis Summary

Recently, ransomware attacks have been observed that reportedly already exploited more than 31 companies, with 8 of the victims being Fortune 500 companies. These highly targeted campaigns distribute the WastedLocker ransomware. The WastedLocker ransomware is a relatively new malicious payload used by the high-profile EvilCorp MTA, which previously used the Dridex trojan to deploy BitPaymer ransomware in attacks targeting government organizations and enterprises in the United States and Europe. This MTA currently focuses on targeted “big game hunting” (BGH) ransomware attacks with multiple industry victims in recent months, with Garmin as one of the latest high-profile victims attacked (officially confirmed by Garmin on July 27). The most recent ransom amount demanded was US$10M and appears to be based on the victim’s financial data. Based on the available details, the ransom was likely paid. To date, this MTA appears to have been using a mono-extortion scheme (data encryption only, with no or minimal data leakage) vs. other MTAs who use the threat of leaking a victim’s data as part of a double-extortion scheme (such as, e.g. Netwalker, Maze, and others).

Impact

• Files Encryption
• Loss of data 
• Denial of Service
• Information Disclosure
• Credential theft
• Security bypass

Indicators of Compromise

Domain Name

• ludwoodgroup[.]xyz
• net-giftshop[.]info
• transvil2[.]xyz
• penaz[.]info
• typiconsult[.]com
• consultane[.]com
• msoftwares[.]info
• feedbackgive[.]com
• websitesbuilder[.]info
• rostraffic[.]com
• advokat-hodonin[.]info
• guiapocos[.]xyz
• devicelease[.]xyz
• paiolets[.]com
• woofwoofacademy[.]xyz
• lendojekam[.]xyz
• lgrarcosbann[.]club
• flablenitev[.]site
• traffichi[.]com
• utenti[.]info
• cofeedback[.]com
• respondcritique[.]xyz
• mwebsoft[.]com
• utenti[.]live
• lpequdeliren[.]fun
• triomigratio[.]xyz
• uplandcaraudio[.]xyz
• dns[.]proactiveads[.]be

MD5

• 0ed2ca539a01cdb86c88a9a1604b2005
• 572fea5f025df78f2d316216fbeee52e
• d124ae14809abde3528a479fe01a12bd
• 2000de399f4c0ad50a26780700ed6cac
• 2b3efa7882c674f4ae57dea991ff5014
• 6d000056522c9f92b027e0c443667485
• 31a57376158d926ae4cfa0574143d7ee
• 2cc4534b0dd0e1c8d5b89644274a10c1
• ef013138a06171ddaed1334601640db4

SHA-256

• 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
• 3dfb4e7ca12b7176a0cf12edce288b26a970339e6529a0b2dad7114bba0e16c3
• c786e4de11e64be8d4118cf8ba6b210e3396e3bb579f3afd4bf528c35bab4a6b
• 83710bbb9d8d1cf68b425f52f2fb29d5ebbbd05952b60fb3f09e609dfcf1976c
• 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
• 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
• f093b0006ef5ac52aa1d51fee705aa3b7b10a6af2acb4019b7bc16da4cabb5a1
• bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

SHA1

• db908077689613c483bcdf037f211d0e3369ff12
• 70c0d6b0a8485df01ed893a7919009f099591083
• 82c6615db16db8fa5c25ed3ba9ee2ba4758872b4
• 92d32c824891ea2055fbdd6b66597d7f5c003e88
• 735ee2c15c0b7172f65d39f0fd33b9186ee69653
• 91b2bf44b1f9282c09f07f16631deaa3ad9d956d
• 4fed7eae00bfa21938e49f33b7c6794fd7d0750c
• 5e5e62ff09ee59fd7d17f79ef2c726ed1c1fc26f

URL

• http[:]//paiolets[.]com/install[.]exe
• https[:]//devicelease[.]xyz
• https[:]//utenti[.]info/1[.]exe
• https[:]//utenti[.]live/1[.]exe
• https[:]//szn[.]services/1[.]exe
• http[:]//lendojekam[.]xyz/index[.]php
• https[:]//uplandcaraudio[.]xyz
• https[:]//ludwoodgroup[.]xyz
• https[:]//respondcritique[.]xyz
• https[:]//woofwoofacademy[.]xyz
• http[:]//transvil2[.]xyz/index[.]php
• https[:]//guiapocos[.]xyz
• http[:]//flablenitev[.]site/index[.]php
• http[:]//lpequdeliren[.]fun/index[.]php
• https[:]//triomigratio[.]xyz

Remediation

• Block the threat indicators at their respective controls.
• Keeps all systems and software patched against all known security vulnerabilities.
• Do not download files from untrusted emails or from random sources on the internet.