WastedLocker

Description

(Fox-IT) The new WastedLocker ransomware appeared in May 2020 (a technical description is included below). The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. The abbreviation of the victim’s name was also seen in BitPaymer, although a larger portion of the organisation name was used in BitPaymer and individual letters were sometimes replaced by similar looking numbers.

Technically, WastedLocker does not have much in common with BitPaymer, apart from the fact that it appears that victim specific elements are added using a specific builder rather than at compile time, which is similar to BitPaymer. Some similarities were also noted in the ransom note generated by the two pieces of malware. The first WastedLocker example we found contained the victim name as in BitPaymer ransom notes and also included both a protonmail.com and tutanota.com email address. Later versions also contained other Protonmail and Tutanota email domains, as well as Eclipso and Airmail email addresses. Interestingly the user parts of the email addresses listed in the ransom messages are numeric (usually 5 digit numbers) which is similar to the 6 to 12 digit numbers seen used by BitPaymer in 2018.

Names

Name
WastedLocker

Type

Ransomware
Big Game Hunting

Information

Mitre Attack

https://attack.mitre.org/software/S0612/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker

Playbook

https://pan-unit42.github.io/playbook_viewer/?pb=wastedlocker-ransomware

Other Information

Uuid

d718aaef-4608-46fd-8245-a6036ebf54f2

Last Card Change

2022-12-30

Threat Intelligence Garden

Explorer

WastedLocker

WastedLocker

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Playbook

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks