Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

WastedLocker Ransomware Information

    • Updated:
    • 20 Aug 2020
    • Product/Version:
    • Apex One 2019
    • Apex One as a Service
    • Deep Security 11.0
    • Deep Security 12.0
    • Deep Security 20.0
    • Deep Security As A Service
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Standard All
    • Platform:
Summary

A new ransomware developed by a Russian Cybercrime group known as Evil Corp. has targeted multiple enterprise networks in the US. This new ransomware uses a fake software update alert to trick its victims into downloading a malicious file. Once compromised, the attacker uses Cobalt Strike to steal credentials and escalate privileges enabling them to move across devices and to compromise security via legitimate tools like Powershell. The payload is successfully deployed using the PsExec tool then proceeds to encrypt the victim data and deletes the Windows shadow volume copies.

Indicators of Compromise

DetectionSHA1
Ransom.Win32.WASTEDLOCKER.YAAF-B483824d5756d6037e66fe922806a7ce98136f1b8
Trojan.BAT.KILLAV.BN0675a8313b7bc0f5e7fdbddbca94a2f29d34d27d
Trojan.BAT.KILLAV.BMc00d7adcf8859b2454c62b476bc37a2ad4cd1ec4
Details
Public

Solutions Available

SOLUTION MODULESSOLUTION AVAILABLEPATTERN BRANCHRELEASE DATEDETECTION/POLICY/RULES
PREDICTIVE LEARNING (TRENDX)Yes  Troj.Win32.TRX.XXPE50FFF036
FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE)YesSmartScan TBL Version: 20352.004.00
Conventional OPR Version: 15.951.00
2020-06-24 05:04 (UTC)
15.951.00 released June 24, 2020, 20:22:20 (UTC)
Ransom.Win32.WASTEDLOCKER.YAAF-B
BEHAVIORAL MONITORING (AEGIS)Yes  Threat Behavior Analysis
FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE)YesSmartScan TBL Version: 20356.024.00
Conventional OPR Version: 15.955.00
Released around 2020-06-27 00:10 (UTC)
Released June 26, 2020, 20:22:19 (UTC)
Trojan.BAT.KILLAV.BN
FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE)YesSmartScan TBL Version: 20354.011.00
Conventional OPR Version: 15.953.00
Released around 2020-06-25 12:24 (UTC)
Released June 25, 2020, 20:22:20 (UTC)
Trojan.BAT.KILLAV.BM

Prevention and Containment

Containment is possible by installing a Trend Micro endpoint agent such as OfficeScan, Apex One, Deep Security, or Worry-Free Business Security, and configuring to best practices.

Make sure to configure your solutions to its best practice settings, making sure that the following key features are enabled for your Endpoint Security:

  • Smart Scan – Threat patterns are stored in cloud and are updated every hour.
  • Predictive Machine Learning – Proactive solution for threats that are not yet known to our patterns
  • Behavior Monitoring – Monitors process activity for any malicious attempts to change critical settings and unauthorized file modification
  • Agent Self Protection – If enabled and configured with a password, users and processes will not be able to make unauthorized changes to your security software.

Recovery

Worry Free Business Security, Apex One, or Deep Security will be able to clean up the ransomware notes left.

File recovery is not possible post infection as after evaluating the threat, there is no known way to decrypt the files.

It is recommended to restore from back-up all encrypted files. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state and is enabled by default.

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000263431
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.