Wasted locker Evasion Technique

As time goes … One after another Ransomware come and goes. Like we say it’s summer.. winter.. Rainy.. Spring seasons.. Once released it’s been a talk of town and one after another big organisation gets the hit.. paying ransoms getting the decryptors is regular now a days. But the difference is each one is getting better sophisticated than other… The teahniques used for evasion varies..

Here we see how Wasted locker used the Technique to evade security systems

WastedLocker, a ransomware strain that reportedly shut down Garmin’s operations for several days in July, is designed to avoid security tools within infected devices, according to a technical analysis from Sophos.

The ransomware abuses the Microsoft Windows memory management feature to evade detection by security software. They also found other tools within the malware designed to make it difficult to detect.

“WastedLocker … is cleverly constructed in a sequence of maneuvers meant to confuse and evade behavior-based anti-ransomware solutions,”.

Evading Security

WastedLocker and other newer strains of ransomware are increasingly being designed to avoid detection and security tools. These so-called “survival skills” allow the malware to live in the network long enough to encrypt files.

“Survival demands that static and dynamic endpoint protection struggle to make a determination about a file based on the appearance of its code, and that behavioral detection tools are thwarted in their efforts to determine the root cause of the malicious behavior,”.

WastedLocker appears to have adopted a technique similar to one used by a ransomware strain called Bitpaymer. This method of avoidance targets the Windows API functions within the memory, according to the report.

“This technique adds an additional layer of obfuscation by doing the entire thing in memory, where it’s harder for a behavioral detection to catch it,” .

In memory evasion

WastedLocker also makes it harder for behavior-based anti-ransomware tools to keep track of what is going on by using memory-mapped I/O to encrypt a file, Sophos reports. This involves transparently encrypting cached documents in memory without causing disruptions to the disk I/O, which shields it from behavior monitoring software.

The Windows memory management feature is used to increase performance by using files or applications that are read and stored in the operating system’s cached memory. To trick anti-ransomware tools, WastedLocker opens a file, caches it in memory and then closes it.

WastedLocker closes the file once it has mapped a file in memory, and the victim might mistake it as an error. But the trick works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory.

Once the data is stored in the Windows Cache Manager, WastedLocker encrypts the file’s content stored in the cache.When the data stored in the cache is modified, it will be become “dirty” so that, eventually, Windows will write the encrypted cached data back to their original files and anti-ransomware software will not detect any illegitimate process.

Ransomware families that affects ICS

A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.

Many ransomware families are designed to kill certain types of running processes. They might target security products to prevent them from blocking the attack and they can also terminate critical system processes so that they can encrypt files associated with these applications in an effort to cause disruption, which can increase the cybercriminals’ chances of getting paid by the victim.

There are two main “process kill lists” that include industrial software. One of them, which targets over 1,000 processes, is used by six ransomware families, including SNAKE (SNAKEHOSE, EKANS), DoppelPaymer, LockerGoga, Maze, MegaCortex and Nefilim. The second list, which targets 1,425 processes, has only been found to be used by the CLOP ransomware.

While the first list targets only a couple dozen ICS processes, mainly associated with the GE Proficy solution, the second list targets over 150 processes related to industrial products, including Siemens SIMATIC WinCC, Beckhoff TwinCAT, National Instruments data acquisition software, Kepware KEPServerEX, and the OPC communications protocol.

In the case of the first list, which may have been posted on an underground forum or shared by a threat actor with other groups, the termination of the targeted OT processes can result in a limited loss of view of historical process data, but it’s unlikely to prevent the victim from controlling physical processes.

In the case of the second list, only used by the CLOP ransomware, which has been tied to a Russia-linked threat group tracked as TA505, FireEye researchers believe the list has been expanded based on the attackers’ reconnaissance activity conducted in victim networks.

The group has been active since at least 2016 — possibly as early as 2014 — and based on what researchers know about it, the targeting of industrial systems is likely just another technique used to increase their chances of making money. However, the termination of OT processes targeted by CLOP is more likely to cause disruption compared to the other pieces of ransomware.

“Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision,”.

“While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups,” the cybersecurity firm added.

The operators of the CLOP ransomware have set up a website where they leak information from companies that refuse to pay up. One of their most high-profile victims is US-based pharmaceutical giant ExecuPharm.

The cybercriminals claim they will never target hospitals, nursing homes, orphanages and charitable foundations. On one hand, they threaten to leak data stolen from organizations whose systems they have hacked, and on the other hand they offer to help victims secure their systems for low fee

Hackers targetting another Hacker ! Quite interesting.

A group of hackers is fighting back against online scammers by targeting “scam” companies with ransomware and denial of service attacks.

A new ransomware called Milkman Victory was recently discovered online and the hackers behind it, who call themselves CyberWare, revealed that they created it specifically to send to scammers. In these scams, victims are told that they will receive a loan after making a payment to a company but in reality there is no loan and no way for them to get their money back.

This isn’t the first time we’ve seen hackers targeting other target groups back in March of this year, Cybereason discovered that hackers were modifying existing hacking tools by injecting a powerful remote-access Trojan into them.

Targeting scammers

As part of its new campaign against scammers, CyberWare is sending phising emails containing links to executables disguised as PDF files. The group is also conducting denial of service attacks to bring down scam company’s websites.

The MilkmanVictory ransomware is being distributed as a destructive wiper attack as it does not provide victims with a way to contact the attackers and does not save the encryption key. Instead victims receive a ransom note on their computers which reads: “Hello!, This computer has been destroyed with the MilkmanVictory Ransomware because we know you are a scammer! – CyberWare Hackers :-)”.

Apparently the new ransomware is based on hidden tear  and because of this, if a key is not saved, it can still be decrypted using brute force attacks.

Maze’s again shown up.. Pitney Bowes succumbs again…

The cyber criminal group behind the increasingly dangerous Maze ransomware strain claims it has successfully encrypted systems at mailing and shipping services firm Pitney Bowes, less than a year after it was hit by a similar attack.

The group behind Maze, which specialises in double extortion, a type of attack that increases pressure on its victims to pay by threatening to release important data in addition to encrypting systems, confirmed the attack on Pitney Bowes in a release posted to its website.

Detected a security incident related to Maze ransomware. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.

“Working with our third-party security consultants, we immediately took critical steps to thwart the attack before data could be encrypted. At this point, there is no evidence of further unauthorised access to our IT systems. The investigation remains ongoing.”

Screenshots posted by Maze suggest that the group has stolen data on a range of Pitney Bowes customers, including major insurance companies and retailers, as well as information and data relating to the company’s internal processes, such as management and training policies.

The previous attack in October 2019 is understood to have involved Ryuk ransomware, which is suspected to be operated by groups out of Russia, and it is not known whether Pitney Bowes paid the ransom on that occasion.

But according to threat researchers, there is a possibility that the two attacks, although relying on different forms of ransomware, may be linked in some way, although this is by no means proven.

This may be a further clue that cyber criminals may have gained access to privileged credentials at Pitney Bowes and have either sold them on to a group using Maze or reused them after gaining access to Maze themselves. Maze appears to operate an affiliate model, partnering with other threat actors and then taking a cut of the commission if a ransom is paid.

Microsoft said Maze is most usually delivered via email, but some of its operators have deployed it to victim networks using RDP (remote desktop protocol) brute force attacks, often using unchanged local administrator passwords. Having done this, they then steal credentials and move laterally through the network to exfiltrate data.

Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords, said the firm’s researchers.

“After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec and a plethora of other tools to deploy various payloads and access data,” wrote Microsoft’s researchers.

“They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.”