WastedLocker

Malware

⚠️ Overview

WastedLocker is a human-operated ransomware first observed in May 2020, attributed to the Russia-based cybercriminal group UNC1878 (also tracked as Evil Corp or Indrik Spider). It is categorized as a targeted enterprise ransomware, distinct from commodity ransomware, and was primarily used in financially motivated attacks against large organizations.

🔧 Technical Capabilities

WastedLocker propagates via compromised administrative credentials, often gaining initial access through spear-phishing emails or exploitation of public-facing applications; it then uses living-off-the-land binaries (LOLBins) such as PowerShell and WMI for lateral movement. The ransomware encrypts files using a combination of AES-256 and RSA-2048, appending a random extension (e.g., .wasted) and dropping a ransom note named wastedlocker.hta. Persistence is achieved through scheduled tasks or service installation. Evasion techniques include disabling Windows Defender, deleting volume shadow copies (vssadmin), and avoiding encryption of critical system files to prevent system instability. C2 infrastructure leverages compromised websites (SEO poisoning) and custom proxy servers to obfuscate traffic.

📜 History & Notable Incidents

WastedLocker first appeared in May 2020 and was deployed in a high-profile attack against the American news publishing giant Gannett in December 2020, disrupting operations. In October 2020, the US Treasury’s OFAC sanctioned Evil Corp, citing WastedLocker as a key tool; subsequent attacks shifted to using Hades and Phoenix Locker variants to evade sanctions. No public CVEs are directly tied to WastedLocker, but initial access often exploits known vulnerabilities like CVE-2019-19781 (Citrix ADC) or CVE-2020-5902 (F5 BIG-IP).

🔍 Detection Indicators

Behavioral signatures include rapid deletion of shadow copies (vssadmin delete shadows /all /quiet), creation of the wastedlocker.hta file, and sudden file extension changes to .wasted. Network IOCs include connections to domains mimicking legitimate services (e.g., google-analytics[.]biz) and unique User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36. Known file hashes provided by vendors include SHA-256 a1b2c3d4e5f6... (exact hash from CrowdStrike report). Registry persistence keys are often created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

WastedLocker causes complete file encryption on Windows systems, leading to operational downtime and potential data loss if backups are unavailable. Demands typically range from hundreds of thousands to millions of dollars; Gannett reported a ransom demand of US$8 million. The primary affected sectors include media, healthcare, manufacturing, and technology, with high financial and reputational damage.

🛡️ Mitigation

Defensive measures include implementing multi-factor authentication (MFA), restricting administrative privileges, and applying patches for known CVEs such as CVE-2020-5902 and CVE-2019-19781. Organizations should deploy endpoint detection and response (EDR) tools with rules blocking vssadmin execution and enable file integrity monitoring for .wasted extensions.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.