WastedLocker Ransomware Demands Millions
Evil Corp, despite being a fictional organization within the award-winning show, Mr. Robot, is known in our world as one of the most dangerous and harmful malware operations on the internet. While two of their members were charged by the US DOJ in 2019, one of which was its ‘leader,’ as of recently the group has been slowly coming back online.
First coming on the scene in 2007, Evil Corp was originally known as the Dridex gang and began to distribute malware, first focusing on the Cridex banking Trojan, a malware strain that would eventually evolve into the Dridex banking Trojan and then finally into the Dridex multi-purpose malware toolkit. Following their re-branding into Evil Corp, the group has gained global notoriety as a global leader in malware and spam botnets on the internet. The group is known to distribute their own malware but also malware for other criminal groups as well as custom spam messaging. Their nefarious activity continued to grow and culminated with criminal charges against two of their leading members in 2019; the group went silent for roughly a month following the criminal charges, until they came back online in January of this year.
Having developed a custom ransomware they named BitPaymer in 2017, the group has recently abandoned their signature ransomware in favor of a newly created ransomware strain Fox-IT researchers named ‘WastedLocker’ due to the file extensions it adds to encrypted files, usually consisting of the victim’s name and the string “wasted.”
The same researchers claim that an analysis of this new ransomware strain and the previously known BitPaymer yield very little in terms of similarities in the structure of the code and infection means, though they do note there do exist some similarities in ransom notes used. Fox-IT began tracking this new strain in May of this year and claim that this ransomware has been used exclusively against US targets, while also claiming that the ransom amount demanded is in the millions of dollars, a stark contrast to the typical demands of thousands of dollars.
“Ransom demands that are asked by Evil Corp are now typically into the millions. We’ve seen demands of more than $10 million.” A researcher for Fox-IT, named Maarten Dantzig, said.
Evil Corp remains an extremely aggressive threat actor, targeting file servers, database services, virtual machines, and cloud environments. The group also attempts to disrupt backup applications and related infrastructure to increase the resources needed for its victim company to restore from backups. In targets that don’t utilize offline backups, Evil Corp deleting backups will certainly force the target victim to pay the ransom, granted they are able to afford it. Due to samples uploaded to the popular site, VirusTotal, researchers at Fox-IT believe the new WastedLocker ransomware has been used as ransomware around five times so far.
Surprisingly, researchers claim that the WastedLocker ransomware does not include any data theft capabilities, a stark contrast to the ten to fifteen well known ransomware gangs that will regularly infect a target network, steal proprietary data, and then threaten to publish the stolen data on so-called ‘leak sites.’ While this isn’t evidence that Evil Corp lacks the capabilities for data exfiltration, it does hint that they may not be interested in pursuing that avenue of attack. Fox-IT researchers say that that level of criminal activity tends to bring media attention to the attack and to the threat actors, something that Evil Corp may be actively looking to avoid considering the still recent DOJ charges and that many of their members exist on the FBI’s Cyber Most Wanted list, thus any media attention will make it more likely that US authorities will prioritize their attacks.
Sources: