WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.
|Enterprise||T1548||.002||Abuse Elevation Control Mechanism: Bypass User Account Control||
WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
WastedLocker has used cmd to execute commands on the system.
|Enterprise||T1543||.003||Create or Modify System Process: Windows Service||
WastedLocker created and established a service that runs until the encryption process is complete.
|Enterprise||T1486||Data Encrypted for Impact||
WastedLocker can encrypt data and leave a ransom note.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.
|Enterprise||T1083||File and Directory Discovery||
WastedLocker can enumerate files and directories just prior to encryption.
|Enterprise||T1222||.001||File and Directory Permissions Modification: Windows File and Directory Permissions Modification||
WastedLocker has a command to take ownership of a file and reset the ACL permissions using the
|Enterprise||T1564||.001||Hide Artifacts: Hidden Files and Directories||
WastedLocker has copied a random file from the Windows System32 folder to the
|.004||Hide Artifacts: NTFS File Attributes||
WastedLocker has the ability to save and execute files as an alternate data stream (ADS).
|Enterprise||T1574||.001||Hijack Execution Flow: DLL Search Order Hijacking||
WastedLocker has performed DLL hijacking before execution.
|Enterprise||T1490||Inhibit System Recovery||
WastedLocker can delete shadow volumes.
WastedLocker can modify registry values within the
WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.
|Enterprise||T1135||Network Share Discovery||
WastedLocker can identify network adjacent and accessible drives.
|Enterprise||T1027||Obfuscated Files or Information||
The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.
WastedLocker contains junk code to increase its entropy and hide the actual code.
|Enterprise||T1120||Peripheral Device Discovery||
WastedLocker can enumerate removable drives prior to the encryption process.
WastedLocker checks for specific registry keys related to the
|Enterprise||T1569||.002||System Services: Service Execution||
WastedLocker can execute itself as a service.
|Enterprise||T1497||.001||Virtualization/Sandbox Evasion: System Checks||
WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.