{
	"id": "55f0cba1-f759-427d-afba-9eb7361d6728",
	"created_at": "2026-04-06T00:14:29.065542Z",
	"updated_at": "2026-04-10T13:11:26.971136Z",
	"deleted_at": null,
	"sha1_hash": "2158f7a5867e6239c3568e3af508c43683dce6fa",
	"title": "WastedLocker: technical analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2337199,
	"plain_text": "WastedLocker: technical analysis\r\nBy Fedor Sinitsyn\r\nPublished: 2020-07-31 · Archived: 2026-04-05 13:35:24 UTC\r\nThe use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are\r\nbeing reported every month, sometimes even more often.\r\nOn July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches\r\nand bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the\r\ndowntime was a cybersecurity incident involving data encryption. The situation was so dire that at the time of\r\nwriting of this post (7/29) the operation of the affected online services had not been fully restored.\r\nAccording to currently available information, the attack saw the threat actors use a targeted build of the trojan\r\nWastedLocker. An increase in the activity of this malware was noticed in the first half of this year.\r\nWe have performed technical analysis of a WastedLocker sample.\r\nCommand line arguments\r\nIt is worth noting that WastedLocker has a command line interface that allows it to process several arguments that\r\ncontrol the way it operates.\r\n -p \u003cdirectory-path\u003e\r\nPriority processing: the trojan will encrypt the specified directory first, and then add it to an internal exclusion list\r\n(to avoid processing it twice) and encrypt all the remaining directories on available drives.\r\n -f \u003cdirectory-path\u003e\r\nEncrypt only the specified directory.\r\n -u username:password \\\\hostname\r\nEncrypt files on the specified network resource using the provided credentials for authentication.\r\n -r\r\nLaunch the sequence of actions:\r\n1. 1 Delete ;\r\n2. 2 Copy to %WINDIR%\\system32\\\u003crand\u003e.exe using a random substring from the list of subkeys of the\r\nregistry key SYSTEM\\CurrentControlSet\\Control\\;\r\n3. 3 Create a service with a name chosen similarly to the method described above. If a service with this name\r\nalready exists, append the prefix “Ms” (e.g. if the service “Power” already exists, the malware will create a\r\nhttps://securelist.com/wastedlocker-technical-analysis/97944/\r\nPage 1 of 7\n\nnew one with the name “MsPower”). The command line for the new service will be set to\r\n“%WINDIR%\\system32\\\u003crand\u003e.exe -s”;\r\n4. 4 Start this service and wait until it finishes working;\r\n5. 5 Delete the service.\r\n-s:\r\nStart the created service. It will lead to the encryption of any files the malware can find.\r\nUAC bypass\r\nAnother interesting feature of WastedLocker is the chosen method of UAC bypass. When the trojan starts, it will\r\ncheck the integrity level it was run on. If this level is not high enough, the malware will try to silently elevate its\r\nprivileges using a known bypass technique.\r\n1. 1 Create a new directory in %appdata%; the directory name is chosen at random from the substrings found\r\nin the list of subkeys of the registry key SYSTEM\\CurrentControlSet\\Control\\;\r\n2. 2 Copy a random EXE or DLL file from the system directory to this new directory;\r\n3. 3 Write the trojan’s own body into the alternate NTFS stream “:bin” of this system file;\r\n4. 4 Create a new temporary directory and set its mount point to “C:\\Windows ” (with a trailing whitespace)\r\nusing the API function NtFsControlFile with the flag IO_REPARSE_TAG_MOUNT_POINT;\r\n5. 5 Create a new subdirectory named “system32” inside the temporary directory. As a result of the previous\r\nstep, this new subdirectory can be equally successfully addressed as “%temp%\\\r\n\u003cdirectory_name\u003e\\system32” or “C:\\Windows \\system32” (note the whitespace);\r\n6. 6 Copy the legitimate winsat.exe and winmm.dll into this subdirectory;\r\n7. 7 Patch winmm.dll: replace the entry point code with a short fragment of malicious code whose only\r\npurpose is to launch the content of the alternate NTFS stream created on step 2;\r\n8. 8 Launch winsat.exe, which will trigger the loading of the patched winmm.dll as a result of DLL hijacking.\r\nThe above sequence of actions results in WastedLocker being relaunched from the alternate NTFS stream with\r\nelevated administrative privileges without displaying the UAC prompt.\r\nProcmon log fragment during the launch of WastedLocker\r\nCryptographic scheme\r\nTo encrypt victims’ files, the developers of the trojan employed a combination of the AES and RSA algorithms\r\nthat has already become a ‘classic’ among different crypto-ransomware families.\r\nThe search mask to choose which files will be encrypted, as well as the list of the ignored paths are set in the\r\nconfiguration of the malware.\r\nhttps://securelist.com/wastedlocker-technical-analysis/97944/\r\nPage 2 of 7\n\nPart of the trojan config showing the ignored path substrings\r\nFor each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to\r\nencrypt the file content using the AES-256 algorithm in CBC mode. The implementation of the file operations is\r\nworthy of note, as it employs file mapping for data access. It must have been an attempt by the criminals to\r\nmaximize the trojan’s performance and/or avoid detection by security solutions. Each encrypted file will get a new\r\nadditional extension: “.garminwasted“.\r\nThe trojan also implements a way of integrity control as part of its file encryption routine. The malware calculates\r\nan MD5 hash of the original content of each processed file, and this hash may be utilized during decryption to\r\nensure the correctness of the procedure.\r\nWastedLocker uses a publicly available reference implementation of an RSA algorithm named “rsaref”.\r\nThe AES key, IV and the MD5 hash of the original content, as well as some auxiliary information, are encrypted\r\nwith a public RSA key embedded in the trojan’s body. The sample under consideration contains a 4096 bit public\r\nRSA key.\r\nhttps://securelist.com/wastedlocker-technical-analysis/97944/\r\nPage 3 of 7\n\nThe public RSA key format used by WastedLocker\r\nIt should be noted that this kind of cryptographic scheme, using one public RSA key for all victims of a given\r\nmalware sample, could be considered a weakness if WastedLocker were to be mass-distributed. In this case a\r\ndecryptor from one victim would have to contain the only private RSA key that would allow all the victims to\r\ndecrypt their files.\r\nHowever, as we can see, WastedLocker is used in attacks targeted at a specific organization which makes this\r\ndecryption approach worthless in real-world scenarios.\r\nThe result of RSA encryption is Base64 encoded and saved in a new file with the extension .garminwasted_info,\r\nand what is notable, a new info file is created for each of the victim’s encrypted files. This is a rare approach that\r\nwas previously used by the BitPaymer and DoppelPaymer trojans.\r\nhttps://securelist.com/wastedlocker-technical-analysis/97944/\r\nPage 4 of 7\n\nAn example list of encrypted files from our test machine\r\nhttps://securelist.com/wastedlocker-technical-analysis/97944/\r\nPage 5 of 7\n\nRansom note left by the trojan\r\nRecommendations\r\nThis WastedLocker sample we analyzed is targeted and crafted specifically to be used in this particular attack. It\r\nuses a “classic” AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the\r\nfiles encrypted by this sample cannot be decrypted without the threat actors’ private RSA key.\r\nThe Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware. Unfortunately, there is no reason to believe that this trend will decline in the near future.\r\nThat is why it is crucial to follow a number of recommendations that may help prevent this type of attacks:\r\n1. 1 Use up-to-date OS and application versions;\r\n2. 2 Refrain from opening RDP access on the Internet unless necessary. Preferably, use VPN to secure remote\r\naccess;\r\n3. 3 Use modern endpoint security solutions, such as Kaspersky Endpoint Security for Business, that support\r\nbehavior detection, automatic file rollback and a number of other technologies to protect from ransomware.\r\n4. 4 Improve user education in the field of cybersecurity. Kaspersky Security Awareness offers computer-based training products that combine expertise in cybersecurity with best-practice educational techniques\r\nand technologies.\r\nhttps://securelist.com/wastedlocker-technical-analysis/97944/\r\nPage 6 of 7\n\n5. 5 Use a reliable data backup scheme.\r\nKaspersky products protect from this threat, detecting it as Trojan-Ransom.Win32.Wasted.d and\r\nPDM:Trojan.Win32.Generic. The relevant behavioral detection logic was added in 2017.\r\nIoC\r\n2cc4534b0dd0e1c8d5b89644274a10c1\r\nSource: https://securelist.com/wastedlocker-technical-analysis/97944/\r\nhttps://securelist.com/wastedlocker-technical-analysis/97944/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/wastedlocker-technical-analysis/97944/"
	],
	"report_names": [
		"97944"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2158f7a5867e6239c3568e3af508c43683dce6fa.pdf",
		"text": "https://archive.orkl.eu/2158f7a5867e6239c3568e3af508c43683dce6fa.txt",
		"img": "https://archive.orkl.eu/2158f7a5867e6239c3568e3af508c43683dce6fa.jpg"
	}
}