Symantec Identifies WastedLocker Ransomware in U.S

Ransomware

The recently documented WastedLocker ransomware attacked at least 31 organizations in the United States, Symantec says.

The threat is believed to be the work of Evil Corp, the behind the Dridex Trojan and Locky ransomware Russia-linked cybergang, as well as ransomware families such as Bart, Jaff, and BitPaymer.

Last week, security researchers from the NCC Group revealed that the WastedLocker ransomware is being deployed against carefully selected targets, and that the fake update framework from SocGholish and a custom Cobalt Strike loader are being used for malware distribution.

Shortly after news from NCC Group, Symantec released its own take on WastedLocker, confirming that the malware has been targeted at least 31 organizations in the United States.

Since the organization only reports attacks on its own customers, the overall number of intended victims may be much higher, says Symantec.

The security firm uncovered the attacks after hackers breached targeted organizations’ networks and set up ransomware deployment.

“The ultimate goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers to demand a multimillion-dollar ransom,” notes Symantec.

The company confirms the use of the SocGholish JavaScript-based malware deployment platform, saying it was able to monitor it to more than 150 infected websites, where it is masquerading as a software update.

“Once attackers reach the victim’s network, they use Cobalt Strike commodity malware in tandem with a range of live-off-the-land tools to steal passwords, escalate privileges, and travel around the network to install WastedLocker ransomware on multiple computers,” notes Symantec.

Most of the targeted organisations, including many household names, are big corporations. The list of intended victims includes large private firms but also 11 listed firms, of which eight are part of the Fortune 500.

Of the 31 targeted organisations, only one was owned not by the U.S., but by an international corporate company located in the United States.

The attackers did not focus on targeting a particular sector, but instead hit multiple industries, most affected by manufacturing (5 targeted organizations), followed by IT (4 victims), and media and telecommunications (3 victims).

“If the attackers had not been disrupted, successful attacks could have resulted in millions of damages, downtime, and a potential domino effect on supply chains,” says Symantec.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.