WastedLocker can evade security software behavioral detection tools by exploiting Windows’ memory management features. Due to this, the malware remains unnoticed just long enough to be able to encrypt the victim’s files.
What is WastedLocker?
WastedLocker is new type of ransomware that was first detected in May 2020. It came into prominence a couple of weeks ago after it was used to attack Garmin, a major manufacturer of navigational equipment and smart devices.
The ransomware’s name is derived from the filename it creates. When a victim’s files are encrypted with WastedLocker, the files’ filenames are modified to append an abbreviation of the victim’s name with the word “wasted” on the end.
It is believed that WastedLocker was developed by the Russia based cybercriminal organization Evil Corp. Evil Corp is also believed to be behind the Dridex malware and the BitPaymer ransomware (aka Bugat). The group is selective regarding the type of infrastructure they target with their ransomware. They usually target file servers, database services, virtual machines and cloud environments.
How Does it Evade Behavioral Detection?
To prevent ransomware attacks, security software uses behavioral detection tools to monitor file system calls. Such calls are usually used by ransomware to encrypt files. Behavioral detection tools check for unknown processes that perform many sequential operations on the file system in a short timeframe. They then terminate any unknown running processes that open files, modify them and then close them again in quick succession.
To evade detection from these anti-ransomware behavioral detection tools, WastedLocker uses Windows’ own memory management features to encrypt files. To provide users with quick access to files, Windows stores commonly used files in the Windows Cache. WastedLocker ransomware runs code that opens files on the file system, reads them into the cache and then closes them again.
WastedLocker then encrypts the files in the cache rather than the files on the file system, which the behavioral detection tools are monitoring. When a certain amount of data in the cache has been modified, the Windows Cache Manager writes the modified cached data back to their original location on the file system. Consequently, the Cache Manager overwrites the unencrypted files on the file system with the encrypted files from the cache. As the Cache Manager is an allowed known process, security software sees the writing of the encrypted data as normal and does not detect that anything is wrong. And thus, WastedLocker bypasses behavioral detection and encrypts all files on the file system.
To help prevent WastLocker attacks, it is important to use:
- The latest application and Operating System (OS) versions
- The latest anti-ransomware software
- A VPN to provide users with remote access to company networks rather than other solutions such as Microsoft’s Remote Desktop Protocol (RDP)
- A reliable data backup scheme
It is also important to improve user education in cybersecurity.