{
	"id": "8ccf1857-501a-414e-8ccd-bb66fdc61bfc",
	"created_at": "2026-04-06T00:22:13.623567Z",
	"updated_at": "2026-04-10T13:11:43.551118Z",
	"deleted_at": null,
	"sha1_hash": "44f29d80e278f3966e5bcf6816e8a0f46d85e328",
	"title": "Threat Assessment: WastedLocker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 188742,
	"plain_text": "Threat Assessment: WastedLocker Ransomware\r\nBy Alex Hinchliffe, Doel Santos, Adrian McCabe, Robert Falcone\r\nPublished: 2020-07-30 · Archived: 2026-04-05 16:27:57 UTC\r\nExecutive Summary\r\nUnit 42 has observed a recent uptick in WastedLocker ransomware activity, which has increased since the initial\r\nsamples were analyzed by WildFire in May 2020. In light of this, together with recent media coverage around\r\nlarge U.S. corporations being targeted by the threat, we have created this general assessment of the ransomware.\r\nFull visualization of these techniques can be viewed in the Unit 42 Playbook Viewer.\r\nWastedLocker is post-intrusion ransomware of the same ilk as Samsa, Maze, EKANS, Ryuk, BitPaymer and\r\nothers. This type of ransomware differs from large-volume, victim-agnostic ransomware variants like WannaCry\r\nby targeting an organization perceived as having a large amount of assets, successfully breaching it, and then\r\ndeploying specially crafted ransomware to as many systems as possible within that organization in a short\r\ntimeframe to maximize impact and increase chances of receiving a much larger ransom payment.\r\nOn June 23, 2020, NCC Group published a report providing a detailed overview of the WastedLocker\r\nransomware, including information on the group believed to be behind it, Evil Corp. In the past, this group has\r\nbeen responsible for the Dridex banking Trojan and other related threats and campaigns.\r\nThe Palo Alto Networks Threat Prevention subscription for the Next-Generation Firewall with WildFire and the\r\nCortex XDR endpoint protection engine detects activity associated with this ransomware. Cortex XDR also\r\ncontains an Anti-Ransomware Protection module, which targets encryption-based activities associated with\r\nransomware. Additionally, AutoFocus customers can review activity associated with this threat with the following\r\ntag: WastedLocker.\r\nTargeting\r\nUsing our threat intelligence platform, AutoFocus, Unit 42 has identified some possible targets for the actors\r\nbehind WastedLocker. The majority of organizations are based in the U.S., which ties in with activity reported by\r\nSymantec on June 26, 2020. The organizations operate in various sectors, including professional and legal\r\nservices, utilities and energy, manufacturing, wholesale and retail, high tech, engineering, pharma and life\r\nsciences, and transportation and logistics (including one transportation and logistics organization from the United\r\nKingdom that appears to have operations in the U.S).\r\nWastedLocker Attack Technical Overview\r\nNote: This is only a high-level overview of the pertinent technical aspects of WastedLocker attacks. For a more\r\nin-depth technical analysis, including Indicators of Compromise (IoCs), see SentinelOne’s blog, “WastedLocker\r\nRansomware: Abusing ADS and NTFS File Attributes.”.\r\nhttps://unit42.paloaltonetworks.com/wastedlocker/\r\nPage 1 of 3\n\nFigure 1. WastedLocker killchain\r\nInitial Infection Vector\r\nAccording to previously reported WastedLocker activity by Symantec, the most commonly observed initial\r\ninfection mechanism for WastedLocker attacks are ZIP files (likely disguised as legitimate software updates)\r\ncontaining malicious SocGholish JavaScript framework loader components that profile the victim system and use\r\nPowerShell to ultimately deploy Cobalt Strike payloads.\r\nWhile the full technical analysis of how the SocGholish framework operates is beyond the scope of this blog, an\r\nin-depth summary of its operation can be found in this post about fake browser update pages.\r\nLateral Movement\r\nOnce the Cobalt Strike payload is installed on a victim’s machine, it is then used to move laterally through the\r\nvictim’s network and facilitate the identification of additional systems on which attackers can deploy their main\r\npayloads. (WastedLocker attackers have also been observed using legitimate Windows utilities such as Windows\r\nManagement Instrumentation [WMI] and PsExec to do this as well.) Of particularly high value to targeted\r\nransomware attackers are systems that directly affect a victim’s customer-facing revenue-generating business\r\noperations, internal systems of high visibility and high use, and systems that contain (or facilitate the deployment\r\nof) system backups.\r\nFinal Payload\r\nFinally, once sufficient reconnaissance of the victim’s network has been conducted, the attackers move to deploy\r\nthe WastedLocker ransomware payload using one or more system management utilities. (The exact mechanism is\r\nout of scope for this blog, but more details are available in SentinelOne’s post.)\r\nDuring execution on a target host, the ransomware will:\r\nAttempt to elevate execution privileges (if not already running as Administrator).\r\nAttempt to disable Windows Defender monitoring.\r\nDelete shadow copies/volume snapshots.\r\nhttps://unit42.paloaltonetworks.com/wastedlocker/\r\nPage 2 of 3\n\nInstall itself as a service.\r\nOnce installed, the delivery of the payload is complete and files are overwritten. The ransomware mainly uses a .\r\n\u003cvictim name\u003ewasted extension, though files containing ransom note details are appended with a .\r\n\u003cvictim_name\u003ewasted_info extension.\r\nThe *.wasted_info ransom note files we have analyzed thus far resemble the following example where variable\r\ndata is shown below between \u003c\u003e characters. The actor email addresses used can differ, and the domain names\r\ninclude the following (in most- to least-used order): PROTONMAIL.CH, AIRMAIL.CC, ECLIPSO.CH,\r\nTUTANOTA.COM and PROTONMAIL.COM\r\n\u003cvictim name\u003e\r\nYOUR NETWORK IS ENCRYPTED NOW\r\nUSE \u003cactor email 1\u003e | \u003cactor email 2\u003e TO GET THE PRICE FOR YOUR DATA\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\nDO NOT RENAME OR MOVE THE FILE\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]\u003cbase64 encoded public key\u003e[end_key]\r\nKEEP IT\r\nSource: https://unit42.paloaltonetworks.com/wastedlocker/\r\nhttps://unit42.paloaltonetworks.com/wastedlocker/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/wastedlocker/"
	],
	"report_names": [
		"wastedlocker"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434933,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44f29d80e278f3966e5bcf6816e8a0f46d85e328.pdf",
		"text": "https://archive.orkl.eu/44f29d80e278f3966e5bcf6816e8a0f46d85e328.txt",
		"img": "https://archive.orkl.eu/44f29d80e278f3966e5bcf6816e8a0f46d85e328.jpg"
	}
}