Request a Demo
Rewterz
Rewterz Threat Alert – Lockscreen Ransomware Phishing Leads To Google Play Card Scam
July 27, 2020
Rewterz
Rewterz Threat Alert – List of Active Phishing Sites
July 27, 2020

Rewterz Threat Alert – WastedLocker Ransomware

Severity

High

Analysis Summary

WastedLocker is a relatively new ransomware family which has been tracked in the wild since April/May 2020. WastedLocker has an affinity for running with administrative privileges. If the payload is executed with non-administrative permissions, it will attempt to elevate privileges via UAC bypas (Mocking Trusted Directories). WastedLocker has an affinity for running with administrative privileges. Once elevated, the ransomware will write a copy of a random file from System32 to the %APPDATA% directory. The newly copied file will have a random and hidden filename. This process allows for the ransomware to copy itself into the file by way of an alternate data stream (ADS).

WastedLocker_Storyline_1-1536x912.jpg

Impact

  • File encryption

Indicators of Compromise

MD5

  • 6b20ef8fb494cc6e455220356de298d0
  • 0ed2ca539a01cdb86c88a9a1604b2005
  • 3208a14c9bad334e331febe00f1e9734
  • edbf07eaca4fff5f2d3f045567a9dc6f
  • bceb4f44d73f1a784e0af50e233eb1b4
  • ecb00e9a61f99a7d4c90723294986bbc
  • f67ea8e471e827e4b7b65b65647d1d46
  • 2000de399f4c0ad50a26780700ed6cac
  • 13e623cdfb75d99ea7e04c6157ca8ae6
  • 572fea5f025df78f2d316216fbeee52e

SHA-256

  • aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
  • e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
  • 85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb
  • 9056ec1ee8d1b0124110e9798700e473fb7c31bc0656d9fc83ed0ac241746064
  • 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
  • ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
  • 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
  • 97a1e14988672f7381d54e70785994ed45c2efe3da37e07be251a627f25078a7
  • 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
  • 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
  • bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

SHA1

  • 91b2bf44b1f9282c09f07f16631deaa3ad9d956d
  • 70c0d6b0a8485df01ed893a7919009f099591083
  • 763d356d30e81d1cd15f6bc6a31f96181edb0b8f
  • b99090009cf758fa7551b197990494768cd58687
  • 9292fa66c917bfa47e8012d302a69bec48e9b98c
  • be59c867da75e2a66b8c2519e950254f817cd4ad
  • 809fbd450e1a484a5af4ec05c345b2a7072723e7
  • e13f75f25f5830008a4830a75c8ccacb22cebe7b
  • 4fed7eae00bfa21938e49f33b7c6794fd7d0750c
  • f25f0b369a355f30f5e11ac11a7f644bcfefd963
  • e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.