logo

The Tricks Used By WastedLocker To Make It One Of The Most Dangerous Cyber Threats

The Tricks Used By WastedLocker To Make It One Of The Most Dangerous Cyber Threats
[Palmer, Danny. “Ransomware: The tricks used by WastedLocker to make it one of the most dangerous cyber threats.” ZDNet, August 4, 2020, www.zdnet.com]

https://www.zdnet.com/article/ransomware-the-tricks-used-by-wastedlocker-to-make-it-one-of-the-most-dangerous-cyber-threats/

“One of the most dangerous families ofransomwareto emerge this year is finding success because it's been built to avoid anti-ransomware tools and other cybersecurity software, according to security company researchers who have analysed its workings.”

“The author of the WastedLocker ransomware constructed a sequence of manoeuvres meant toconfuse and evade behavior-based anti-ransomware solutions, according to the report.”

“Many malware families use some code obfuscation techniques to hide malicious intent and avoid detection, but WastedLocker adds additional layers to this by interacting with Windows API functions from within the memory itself, where it's harder to be detected by security tools based on behavioural analysis.”

“WastedLocker uses a trick to make it harder for behavior based anti-ransomware solutions to keep track of what is going on, by using memory-mapped I/O to encrypt a file. This technique allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O, which can shield it from behavior-monitoring software.”

“Then, by the time the infection is detected it's too late – often the first sign is when the attackers have pulled the trigger on the ransomware attack and victims find themselves faced with a ransom note demanding millions of dollars.”

RevBits Thoughts:

The value of a successful ransomware attack is self-evident. Recent incidents, such as Garmin, demonstrate the realities of what companies are faced with when a successful ransomware attack occurs. A successful attack means either paying the requested ransom or absorbing enormous forensics and remediation costs.

Ransomware is not going away because the value of a successful attack is tremendous.

To increase the odds of a successful attack, malicious actors will continue to build ever growing sophisticated ransomware that obfuscates its actions to evade detection. To beat sophisticated ransomware, organizations need to deploy sophisticated endpoint security.

RevBits Endpoint Security is designed to detect the most sophisticated ransomware whether known or novel. Through the unique design of the behavioral analysis protocol, RevBits Endpoint Security continues to analyze new executables even if activities are conducted in memory-mapped drives. Novel actions cannot be hidden from analysis simply by acting in a specific location or utilizing an approved operating process. All behavior is analyzed regardless of process location or operation and actions determined to be malicious, such as encryption, areautomatically blocked.

For instance, if ransomware is designed to use Microsoft's EFSoperation to conduct encryption,then most endpoint security products will not block the action because it is an approved operation of the onboard OS. RevBits Endpoint Security disregards the use of an authentic and approved process by a new executable, analysis of the subsequent behavior is conducted and ifdetermined malicious, the action is detected, blocked and reported.

RevBits Endpoint Security delivers expanding value to an enterprise by continuing to protect regardless of the novel state of ransomware. The solution never requires updating based on reported threat research or requires new signatures added to its solution analysis engine to detect novel ransomware. Obfuscation of ransomware can never be used as an effective countermeasure because complete behavior is always analyzed.

Contact RevBits