The Securonix Threat Research Team is actively investigating the details of the critical targeted Wastedlocker ransomware attacks that has reportedly already exploited more than 31 companies, with 8 of the victims being Fortune 500 companies.
Here are the key details regarding the impact of the high-profile WastedLocker ransomware attacks/EviICorp malicious cyber threat actor(s)(MTA) involved:
- The WastedLocker ransomware is a relatively new malicious payload used by the high-profile EvilCorp MTA, which previously used the Dridex trojan to deploy BitPaymer ransomware in attacks targeting government organisations and enterprises in Europe and the United States.
- This MTA currently focuses on targeted °big game hunting” (BGH) ransomware attacks with multiple industry victims in recent months, with Garmin as one of the latest high-profile victims attacked (officially confirmed by Garmin on July 27).
- The most recent ransom amount demanded was $10 million, and appears to be based on the victim’s financial data. Based on the available details, the ransom was likely paid.
- To date, this MTA appears to have been using a mono-extortion scheme (data encryption only, with no or minimal data leakage) vs. other MTAs who use the threat of leaking a victim’s data as part of a double-extortion scheme (e.g. Netwalker, Maze, and others).
Following the initial compromise, one of the early steps commonly taken by the malicious operators observed is to perform internal discovery and disable security/AV vendor tools such as Cisco AMP and/or Windows Defender.
Here are some of the Securonix recommendations to help prevent and/or mitigate the attack:
- Review your backup version retention policies and make sure that your backups are stored in a location that cannot be accessed/encrypted by operator placed targeted ransomware, (e.g. consider remote write-only backup locations).
- Implement an end user security training program, since end users are ransomware targets. It is important for them to be aware of the threat of ransomware and how it occurs.
- Patch operating systems, software, and firmware on your infrastructure. Consider leveraging a centralised patch management system.
- Maintain regular air-gapped backups of critical corporate/infrastructure data.
- Implement security monitoring, particularly for high-value targets (HVT) in your environments, to detect possible malicious ransomware operator placement activities earlier.
- For your Windows systems, consider enabling and auditing controlled folder access/turn on the protected folders feature.
