ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool WastedLocker

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: WastedLocker

NamesWastedLocker
CategoryMalware
TypeRansomware, Big Game Hunting
Description(Fox-IT) The new WastedLocker ransomware appeared in May 2020 (a technical description is included below). The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. The abbreviation of the victim’s name was also seen in BitPaymer, although a larger portion of the organisation name was used in BitPaymer and individual letters were sometimes replaced by similar looking numbers.

Technically, WastedLocker does not have much in common with BitPaymer, apart from the fact that it appears that victim specific elements are added using a specific builder rather than at compile time, which is similar to BitPaymer. Some similarities were also noted in the ransom note generated by the two pieces of malware. The first WastedLocker example we found contained the victim name as in BitPaymer ransom notes and also included both a protonmail.com and tutanota.com email address. Later versions also contained other Protonmail and Tutanota email domains, as well as Eclipso and Airmail email addresses. Interestingly the user parts of the email addresses listed in the ransom messages are numeric (usually 5 digit numbers) which is similar to the 6 to 12 digit numbers seen used by BitPaymer in 2018.
Information<https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/>
<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>
<https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html>
<https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/>
<https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/>
<https://unit42.paloaltonetworks.com/wastedlocker/>
<https://securelist.com/wastedlocker-technical-analysis/97944/>
<https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/>
<https://www.csoonline.com/article/3574907/wastedlocker-explained-how-this-targeted-ransomware-extorts-millions-from-victims.html>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=wastedlocker-ransomware>

Last change to this tool card: 19 October 2020

Download this tool card in JSON format

All groups using tool WastedLocker

ChangedNameCountryObserved

Other groups

 Indrik SpiderRussia2014-Jul 2020X

1 group listed (0 APT, 1 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key