Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:10 PM
Connect Directly

Major US Companies Targeted in New Ransomware Campaign

Evil Corp. group hit at least 31 customers in campaign to deploy WastedLocker malware, according to Symantec.

More than two-dozen US organizations — several of them Fortune 500 companies — were attacked in recent days by a known threat group looking to deploy a dangerous new strain of ransomware called WastedLocker.

Had the attacks succeeded, they could have resulted in millions of dollars in damages to the organizations and potentially had a major impact on supply chains in the US, Symantec said in a report Thursday.

According to the security vendor, at least 31 of its customers were targeted, suggesting the actual scope of the attacks is much higher. Eleven of the companies are publicly listed, and eight are in the Fortune 500.

Among those affected were five organizations in the manufacturing sector, four IT companies, and three media and telecommunications firms. Organizations in multiple other sectors — including energy, transportation, financial services, and healthcare — were also affected. In each instance, the attackers managed to breach the networks of the targeted organizations and were preparing to deploy the ransomware when they were detected and stopped.

"The attackers behind this threat appear to be skilled and experienced, capable of penetrating some of the most well protected corporations, stealing credentials, and moving with ease across their networks," Symantec warned. "As such, WastedLocker is a highly dangerous piece of ransomware."

Symantec described the attacks as being carried out by Evil Corp., a Russian cybercrime group that has been previously associated with the Dridex banking Trojan and the BitPayment ransomware family. Last December, US authorities indicted two members associated with the group — Maksim Yakubets and Igor Turashev — in connection with their operation of Dridex and the Zeus banking Trojans.

The two — along with other conspirators — are alleged to have attempted theft of a staggering $220 million and caused $70 million in actual damages. The US Department of State's Transnational Organized Crime (TOC) Rewards Program has established an unprecedented $5 million bounty for information on Yakubets. Both men remain at large.

Dangerous Campaign
The NCC Group, which also this week published a report on the WastedLocker campaign, said its investigations showed the ransomware has been in use at least since May and was likely in development several months before that. Evil Corp. has typically targeted file servers, database services, virtual machines, and cloud environments in its ransomware campaigns. They have also shown a tendency to disrupt or disable backup systems and related infrastructure where possible to make recovery even harder for victims, NCC Group said.

Symantec said its investigation shows the attackers are using a JavaScript-based malware previously associated with Evil Corp. called SocGholish to gain an initial foothold on victim networks. SocGholish is being distributed in the form of a zipped file via at least 150 legitimate — but previously compromised — websites. 

The malware masquerades as a browser update and lays the groundwork for the computer to be profiled. The attackers have then been using PowerShell to download and execute a loader for Cobalt Strike Beacon, a penetration-testing tool that attackers often use in malicious campaigns.

The tool is being used to execute commands, inject malicious code into processes or to impersonate them, download files, and carry out other various tasks that allow the attackers to escalate privileges and gain control of the infected system. As with many current malicious campaigns, the attackers behind WastedLocker have been leveraging legitimate processes and functions, including PowerShell scripts and the Windows Management Instrumentation Command Line Utility (wmic dot exe) in their campaign, Symantec said.

To deploy the ransomware itself, the attackers have been using the Windows Sysinternals tool PsExec to launch a legitimate command line tool for managing Windows Defender (mpcmdrun.exe). This disables scanning of all downloaded files and attachments and disables real-time monitoring, Symantec said. "It is possible that the attackers use more than one technique to perform this task, since NCC reported suspected use of a tool called SecTool checker for this purpose," Symantec said.

The ransomware deploys after Windows Defender and all associated services have been stopped across the organization, the vendor noted. "A successful attack could cripple the victim's network, leading to significant disruption to their operations and a costly clean-up operation," Symantec warned.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
A flaw was found in samba. Spaces used in a string around a domain name (DN), while supposed to be ignored, can cause invalid DN strings with spaces to instead write a zero-byte into out-of-bounds memory, resulting in a crash. The highest threat from this vulnerability is to system availability.
PUBLISHED: 2021-05-12
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-12
An incorrect permission vulnerability in the product installer for Trend Micro HouseCall for Home Networks version 5.3.1179 and below could allow an attacker to escalate privileges by placing arbitrary code on a specified folder and have that code be executed by an Administrator who is running a sca...
PUBLISHED: 2021-05-12
An incorrect permission vulnerability in the product installer folders for Trend Micro HouseCall for Home Networks version 5.3.1179 and below could allow an attacker to escalate privileges by placing arbitrary code on a specified folder and have that code be executed by an Administrator who is runni...
PUBLISHED: 2021-05-12
An issue was discovered in Smartstore (aka SmartStoreNET) through 4.1.1. Views/PrivateMessages/View.cshtml does not call HtmlUtils.SanitizeHtml on a private message.