Cyber Security

Evil Corp blocked from deploying ransomware on US companies

Evil Corp blocked from deploying ransomware on US companies

The Evil Corp gang was blocked from deploying WastedLocker ransomware payloads in dozens of attacks against major US corporations, including Fortune 500 companies.

“The vast majority of targets are major corporations, including many household names,” Symantec said. Aside from a number of large private companies, there were 11 listed companies, eight of which are Fortune 500 companies.”

The group was involved in the past in the distribution of the Dridex malware toolkit later used to also deliver other threat actors’ malware payloads, as well as of Locky ransomware and their own ransomware known as BitPaymer until 2019.

Evil Corp refreshed their tactics after two of their members were indicted by the US Department of Justice in December 2019 and are now again in the ransomware business deploying WastedLocker in corporate networks and asking for ransoms of millions of dollars.

Attacks blocked before ransomware deployment

“At least 31 customer organizations have been attacked, meaning the total number of attacks may be much higher,” researchers at Symantec who spotted these attacks explained.

“The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks.”

Only one of the 31 large private companies that were targeted was not a US company but instead a US-based subsidiary of an overseas multinational.

Evil Corp’s attacks were directed at a wide range of industry sectors, with a focus on manufacturing (five of the 31 targets), with another four orgs from the information technology sector and three from telecommunications.

WastedLocker targets by industry sector
WastedLocker targets by industry sector (Symantec)

“The attacks begin with a malicious JavaScript-based framework known as SocGholish, tracked to more than 150 compromised websites, which masquerades as a software update,” Symantec added. 

“Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers.”

Before deploying the ransomware payload, the threat actors disable Windows Defender across the organization’s entire network using legitimate tools and PowerShell scripts downloaded from attacker-controlled servers.

Once the anti-malware services are stopped, the WastedLocker ransomware is launched using the Windows Sysinternals PsExec tool to encrypt data and delete shadow volumes where backups and snapshots of the victims’ files are saved to make recovery impossible.

WastedLocker attack chain
WastedLocker attack chain (Symantec)

“Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains,” Symantec added.

WastedLocker ransomware appears to be secure at the moment, which means that victims’ have no way to decrypt their files for free.

Additional information on how a WastedLocker attack unfolds and indicators of compromise (IOCs) including malware hashes and domains used to deliver the malware are available at the end of Symantec’s report.

Phantom Protect