VideoBytes: Ransomware gets wasted!

VideoBytes: Ransomware gets wasted!

Hello dear readers, and welcome to the latest edition of VideoBytes! On today’s episode, we’re talking about how ransomware is on the rise again, focused on attacking corporations with malware that not only encrypts files, but also steals it

The tactics used to deploy these forms of ransomware have become more capable and the amount of effort that goes into an attack is far greater than what we saw 3 years ago. Ransomware is also evolving as we continuously see new tactics to evade detection and/or increase infection and encryption speed.

Watch on to learn all about it. Or, as our esteemed host always says: Sit back, relax, here come the facts.

A rise in ransomware attacks

A recent study found that 25% of all UK universities have experienced a ransomware attack in the last 10 years, including Sheffield Hallam University that had 42 attacks in the past seven years!

Most of the universities covered in the study had been attacked multiple times. However, of the universities that responded, many reported that they did not pay the ransom, rather they restored from backups.

One point made by Ionut Ilascu from Bleeping Computer mentions that “the results from the FOIA are a poor reflection of the recent period as close to half of all the schools receiving the solicitation refused to give any information, motivating with concerns that admission of attack would only encourage the hackers.”

Logic dictates that going after a previous cybercrime victim is like trying to launch a sneak attack on an enemy who already knows you are coming. Clearly, some folks believe that admitting you have been the victim of a cyber-attack is a sign of weakness or insecurity.

Attackers threaten to report you!

There are possible legal difficulties that may affect whether or not a company pays or even reports a ransomware attack. For example, the General Data Protection Regulation, or GDPR, is a sweeping data privacy and protection law in the European Union that attempts to enforce the safe and secure protection of user data by organizations operating in Europe. 

Admitting that an attack occurred and inviting possible investigation into how secure, or insecure, your data storage policies are may be enough reason for some organizations to downplay attacks. In fact, a ransomware group has recently taken advantage of this and is using GDPR threats to try and extort victims.

For example, servers running the MongoDB database software are being targeted by attackers who are focused on insecure deployments of the software, with the goal of accessing databases, stealing data and replacing it with README files that demand bitcoin payments in 48 hours or else all stolen data will get released online.

Part of the ransom note claims that if the victim doesn’t pay, not only will they release the files, but they will also report the organization to the GDPR authorities, which may lead to a fine or arrest (according to the note, anyway, which is clearly meant to drum up fear).

Victor Gevers of the GDI Foundation, who has been tracking this threat, identified over 15,000 servers that the README ransom note was found on. He obtained this information after querying the internet device search engine Shodan. However, other scanners show up to 23,000 affected servers.

According to a Bleeping Computer article by Lawrence Abrams, which featured Victor Gevers: “With the ransom amount being small at $135.55 and the worry of GDPR violations, Gevers feels that it may cause some people to pay. The actors then know that the data is valuable to the owner and extort them for even more money.”

WastedLocker ransomware lands a whale

That $135 ransom is a lot less than Garmin reportedly paid when it suffered an attack from a ransomware known as WastedLocker, which knocked down a lot of their services in the process. According to media reports, Garmin ended up using a ransomware negotiation company called Arete IR to pay millions of dollars to the attackers and get everything back up and running again.

WastedLocker is a ransomware  tool known to be associated with the Russian Cybercrime Gang: “Evil Corp” and it has been on a bit of a spree over the last few months. And you’re right—it’s not the most inventive name for a cybercriminal gang.

Fake news?

In July it was reported that this same ransomware strain was found infecting networks of dozens of US newspaper websites. They hosted WastedLocker executables on those infected servers and, when needed, would download it from the same sites. The goal was to mask the malicious intent of the traffic by making it look like a user just reading the news.

In addition, Symantec warned folks about this group a month before the Garmin attack was made public. These guys are not messing around; they only seem to go after well-resourced and likely well-researched organizations, unlike other ransomware families we have seen in the past who target anyone willing to run their malware.

Evading protection

An example of this group’s sophistication is their use of new features meant to evade detection by anti-ransomware tools. Many AR tools use the behavior of an untrusted executable doing ransomware-like things to identify a possible ransomware infection, for example, encrypting files and deleting them.

WastedLocker loads files into the “Windows Cache Manager” which can hold temporary versions of files. The malware reads the contents of a victim file into the Windows Cache Manager, then encrypts the data found in the cache, not the file on disk. 

When enough of the data in the cache has been “modified” or encrypted by the ransomware, the cache manager automatically writes the modified data to the original file. In simple terms, it replaces the unencrypted, legitimate file with the encrypted version and it does this under the umbrella of a legitimate system process, not some shady EXE file.

The idea is that if an anti-ransomware tool does not see the malware binary doing the encryption, then maybe it will not detect the malware. However, vendors are already updating their tools to detect this kind of behavior, so it may not be a clever trick for much longer.

The new normal for ransomware

Researchers believe that WastedLocker is manually directed by attackers who utilize things like stolen passwords and outward facing, vulnerable network entry ports that allow them to not just launch malware, but scope out a target and determine the best strategy for attack.  Something like that is more difficult to predict and defend against, especially when the actor is proven to be sophisticated and clever.

Wastedlocker has already proven itself multiple times over as being a dangerous and capable malware. Depending on what Evil Corp wants to do next, they could continue trying to ransom corporate networks or they could set up shop and start selling modified versions of WastedLocker to other cyber criminals. The ransomware-as-a-service scene (yes, you read that right) is very lucrative.


Ransomware-as-a-service is a term used to describe a cybercrime group that develops malware for individual customers to spread. This takes a lot of the overhead out of launching a ransomware attack, because previously an attacker might have needed to develop, steal, or buy their own ransomware, then go about trying to infect people with it. The quality of that ransomware was not guaranteed, and it might not even work.

With more advanced families of ransomware like Cerber and Locky, the value was in the proven effectiveness of the ransomware. The creators of these families only needed to make slight updates and provide individualized modifications to customers (like what email the victim should reach out to) who would then go about distributing the malware.  Once a ransom payment occurs, the creators of the ransomware get their own cut and the distributors get most of the payment.

However, to avoid being scammed by the criminals selling the ransomware, who may include a backdoor in that ransomware, it comes down to reputation of the malware. Have there been news stories about it? Has it been proven in the wild? Combine those queries with the reputation of the creators and sellers of the service: Do they have good relationships with other criminals? Can they be counted on to come through on their end of the bargain?

It’s like buying something off the DarkNet, you have to put your confidence into the seller that they will deliver the product you are buying and a lot of times that comes in the form of previous customer reviews. If a criminal developing malware was putting backdoors into what they were selling, someone would notice and tell other folks about it. Eventually, the vendor will not be trusted anymore, and nobody will buy their wares.

It’s sort of like a rampant free market, but for ransomware, and totally terrible for businesses and consumers. The product with the most reliability, the strongest reviews, and the best, uh, returns, will likely enjoy the most sales.