Security researchers have discovered a new ransomware called WastedLocker which is attributed to the Evil Corp cybercriminal gang, one of the biggest malware operations on the internet.
The ransomware is named WastedLocker based on the file extension that it adds to the encrypted files, usually consisting of the victim’s name and the string “wasted.”
Fox-IT, a division within the NCC Group, has detailed the group’s latest activities.
On analysis of the new ransomware, it was found that there were very little code reuse or code similarities between BitPaymer and WastedLocker. However, there are some similarities in the ransom note text.
Evil Corp gang also called Dridex gang were active since 2007. Initially they were focused on distributing the Cridex banking trojan, a malware strain which evolved into the Dridex banking trojan, and later evolved into the Dridex multi-purpose malware toolkit.
Through the Dridex operation, the group became one of the largest malwares and spam botnets on the internet. The group distributed their own malware, malware of other criminal groups and also with custom spam messaging.
They started distributing ransomware in 2016 with the spreading of Locky ransomware to home consumers. Later they started targeting enterprises with a new custom ransomware named BitPaymer. They operated using this ransomware from 2017 to 2019 after which the infections started to drop.
Several members of the gang were then charged by the US Department of Justice in December 2019, and the group went silent for a full month until January 2020.
Now, the group has returned to life with some new tools and replacing the BitPaymer variant.
Fox-IT have been tracking the use of this new ransomware since May 2020. According to them, the ransomware has been exclusively deployed against US companies.
The researchers stated that the Evil Corp is demanding ransom typically into the millions. However, it is not sure whether any of the WastedLocker victims had paid the ransom demands.
The Evil Corp operators deploy the WastedLocker ransomware by hitting the file servers, database services, virtual machines, and cloud environments.
They also attempt to disrupt backup applications and related infrastructure to increase the time needed for companies to recover.
It is estimated that WastedLocker was already used as ransomware payload in at least 5 cases.
However, it is interesting to note that Evil Corp did not include any data theft functions in their new WastedLocker ransomware which is usually found in most of the ransomware.