Stealthy WastedLocker: eluding behaviour blockers, but not only

Alexander Adamov (NioGuard Security Lab)
partner message

Questions? Comments? Join the chat on Discord now!

Go to the Chat page

Submit your questions for VB2020 speakers on the #q-and-a channel,

chat with your peers on #general-chat, say hi to our our partners on their channels,

and enjoy the bustle of the conference corridor.

partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

WastedLocker is an advanced piece of ransomware seen in at least 31 publicly known targeted attacks operated by the Evil Corp group against US-based corporations since May 2020. The most recent attack was against Garmin, as a consequence of which the Garmin Connect service went down.

The ransom demands typically vary from $500,000 to over $10 million in Bitcoin. [1, 2] However, the most interesting trait of WastedLocker is the defence evasion and privilege escalation techniques used in these attacks such as digital signing, DLL side loading, auto elevation, and the usage of Alternate Data Streams (ADS).

As a result, the ransomware managed to install and start itself from the Windows system folder with elevated privileges. Moreover, to encrypt files without attracting unnecessary attention from an anti-malware solution, WastedLocker leveraged the technique of mapping the user’s files into memory. When a file’s content is encrypted in the memory, it will automatically be written back to the file on a disk by the Windows Cache Manager, not by the actual ransomware process, which is called ‘lazy writing’. This technique can make an anti-ransomware module blind.

Another surprising effect of the memory mapping technique that plays against attackers is that the modification timestamps of the encrypted files are not changed, which makes files encryption invisible not only to anti-ransomware solutions but also to some backup solutions, in particular, Google’s Backup & Sync. In other words, the encrypted file's content won’t be synced with Google Drive, which prevents the original data stored in the cloud from being encrypted.

In this talk, we will take a look under the hood of WastedLocker and analyse the above-mentioned techniques with the help of the disassembler (IDA) that fans of reverse engineering might like.

Alexander Adamov
NioGuard Security Lab Dr Alexander Adamov is the Founder and CEO of the research laboratory called NioGuard Security Lab, with 15 years of experience in the analysis of cyber attacks. He teaches cybersecurity at NURE (Ukraine) and BTH (Sweden) universities and explores AI/ML capabilities in cybersecurity. He is a co-author of the EU Master's Program in Cyber Security. In cooperation with OSCE, he trained the Cyberpolice of Ukraine and shared the ransomware counteraction results with Europol. Alexander has spoken at various security conferences and workshops such as Virus Bulletin Conference, Virus Analyst Summit, OpenStack Summit, OWASP, BSides and UISGCON.
arrow left Back

Stealthy WastedLocker: eluding behaviour blockers, but not only

Alexander Adamov (NioGuard Security Lab)
WastedLocker is an advanced piece of ransomware seen in at least 31 publicly known targeted attacks operated by the Evil Corp group against US-based corporations since May 2020. The most recent attack was against Garmin, as a consequence of which the Garmin Connect service went down.

The ransom demands typically vary from $500,000 to over $10 million in Bitcoin. [1, 2] However, the most interesting trait of WastedLocker is the defence evasion and privilege escalation techniques used in these attacks such as digital signing, DLL side loading, auto elevation, and the usage of Alternate Data Streams (ADS).

As a result, the ransomware managed to install and start itself from the Windows system folder with elevated privileges. Moreover, to encrypt files without attracting unnecessary attention from an anti-malware solution, WastedLocker leveraged the technique of mapping the user’s files into memory. When a file’s content is encrypted in the memory, it will automatically be written back to the file on a disk by the Windows Cache Manager, not by the actual ransomware process, which is called ‘lazy writing’. This technique can make an anti-ransomware module blind.

Another surprising effect of the memory mapping technique that plays against attackers is that the modification timestamps of the encrypted files are not changed, which makes files encryption invisible not only to anti-ransomware solutions but also to some backup solutions, in particular, Google’s Backup & Sync. In other words, the encrypted file's content won’t be synced with Google Drive, which prevents the original data stored in the cloud from being encrypted.

In this talk, we will take a look under the hood of WastedLocker and analyse the above-mentioned techniques with the help of the disassembler (IDA) that fans of reverse engineering might like.

Alexander Adamov
NioGuard Security Lab Dr Alexander Adamov is the Founder and CEO of the research laboratory called NioGuard Security Lab, with 15 years of experience in the analysis of cyber attacks. He teaches cybersecurity at NURE (Ukraine) and BTH (Sweden) universities and explores AI/ML capabilities in cybersecurity. He is a co-author of the EU Master's Program in Cyber Security. In cooperation with OSCE, he trained the Cyberpolice of Ukraine and shared the ransomware counteraction results with Europol. Alexander has spoken at various security conferences and workshops such as Virus Bulletin Conference, Virus Analyst Summit, OpenStack Summit, OWASP, BSides and UISGCON.