Security Market Segment LS
Wednesday, 05 August 2020 11:51

Sophos says WastedLocker has many similarities to Bitpaymer and Dridex Featured

Sophos says WastedLocker has many similarities to Bitpaymer and Dridex Image by Couleur from Pixabay

The new kid on the Windows ransomware block, WastedLocker, may be causing foreheads to wrinkle over at companies that fear attacks from this genre of malware, but it has given security firms, like global operator Sophos and Russian company Kaspersky, plenty of meat for its researchers to sink their teeth into.

On Wednesday, Sophos announced it had carried out a multi-part series on ransomware, with the first in the series concentrating on techniques that WastedLocker uses to avoid detection.

As iTWire has reported, Kaspersky researcher Fedor Sinitsyn issued a detailed report on WastedLocker last week, concentrating on its method of attacking a system and its command-line interface that allowed it to accept different arguments that controlled the way it operated.

Sinitsyn pointed out that WastedLocker had been increasingly used in the first six months of the year, with the most recent, and possibly the most attention-garnering, attack against wearable technology specialist Garmin.

Sophos researchers Mark Loman and Anand Ajjan wrote that the author of WastedLocker had cunningly crafted a sequence of manoeuvres meant to confuse and evade anti-ransomware software.

They said some of the techniques mimicked those used by other ransomware known as Bitpaymer and the Dridex trojan, with hints that WastedLocker might be a derivative work or have common authors.

anand ajjanmark loman

Anand Ajjan and Mark Loman. Courtesy Sophos

"Ransomware defences based on behaviour monitoring typically implement a mini-filter driver," the pair said. "These are kernel drivers that attach to the file system stack. Mini-filters filter I/O operations in order to keep an eye on everything that happens to files.

"For example, the well-known Process Monitor utility from Sysinternals uses a mini-filter driver to create a real-time log of file system activity. Most anti-ransomware solutions use a similar approach to keep an eye on what happens to files."

They said WastedLocker utilised a trick to make it harder for behaviour-based anti-ransomware solutions to keep track of what was going on: using memory-mapped I/O to encrypt a file.

"Although it is unnecessary for ransomware to access documents as a memory-mapped file, the method is more common nowadays, as Maze and Clop (two common Windows ransomware packages) also employ the same tactic," Loman and Ajjan said.

"This technique allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O. For behaviour monitoring, this may be a problem. Tools used to monitor disk writes may not notice that ransomware is accessing a cached document, because the data is served from memory instead of disk.

"But the kicker here is that WastedLocker is closing the file once it has mapped a file in memory. You’d think this would result in an error, but the trick actually works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory."

The two researchers said anti-ransomware solutions that correlated activity based on CreateFile and CloseFile operations would miss all the disk I/O performed by the Cache Manager in response to mapped memory operations.

"Ultimately, the Cache Manager will release its internal handle to the memory-mapped file. This may happen after a few minutes, but we have observed that the Cache Manager closes the handle only after several hours," they said.

Regarding the similarities observed between WastedLocker and Bitpaymer and the Dridex trojan, the pair said both Bitpaymer and WastedLocker abused alternate data streams in the same way. The malware found a clean system file, copied itself to the clean file’s ADS, and then executed itself as a service component of the clean file. This makes it appear that the clean file was the source of the ransomware behaviour.

And both accomplished this using the same technique: they reset the privileges of the targeted system file using icacls.exe in order to add the ADS component, and then copy the clean system file to the %APPDATA% folder.

Loman and Ajjan said Bitpaymer used the custom API resolve functions to call Windows APIs using a hash value, rather than the API function’s name. The same code was also used by Dridex malware, and was consistently seen in many earlier Bitpaymer variants. With WastedLocker, there had been a major upgrade by removing these functions.

Instead, it calls the Windows API directly in memory. This change had improved efficiency of execution without spending much time in computing the hash and calling the API dynamically.

Both ransomware packages — WastedLocker and BitPaymer — used a similar User Account Control bypass technique to elevate the clean, hijacked process to run the ransomware code (using the ADS technique mentioned). Bitpaymer added a .cmd file to the registry key (“HKCU\Software\Classes\mscfile\shell\open\command”), so that, when an elevated eventvwr.exe file was executed, it checked the registry key (by default). That, in turn, executed the .cmd file that ran the ransomware binary. WastedLocker used winsat.exe and winmm.dll to run the ransomware binary (ADS component) by patching the winmm.dll.

Over time, Bitpaymer had slowly improved its encryption method. Early variants used an RC4 key for encrypting the file content, and it further encrypted the RC4 key using a 1024-bit RSA public key. But later variants — as well as current versions of WastedLocker — made some improvements by using AES 256 bit CBC mode for encrypting the files, along with a 4096-bit RSA public key.

Both ransomware packages also encoded the key information with Base64, and stored the encoded key in the ransom note.

Loman and Ajjan said both malware packages customised the ransom note for each victim by adding the name of the organisation WastedLocker also added the name of the organisation to the ransom note file name as a prefix.

Finally, the two researchers said, WastedLocker could perform certain operations when its main executable was launched using specific arguments, as did some earlier versions of BitPaymer. Both used numbers as arguments and the numbers they both used to indicate the operation the malware was supposed to perform were the same (eg., -1 indicates the main/initial execution, -2 issues a command to copy the malware and run it using ADS, and -3 indicates that it will begin the file encryption process.

"While none of these alone, or even in combination, is enough to definitively say that, for instance, the same creator was responsible for both ransomware packages, the similarities are so striking as to raise questions about whether the malware author(s) of Bitpaymer and WastedLocker are connected in some collaborative way," Loman and Ajjan noted.

Read 2682 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News