{
	"id": "e96b2c34-fe8c-4d28-93cb-0bad7f7ae5bb",
	"created_at": "2026-04-06T00:19:11.261463Z",
	"updated_at": "2026-04-10T03:33:15.48806Z",
	"deleted_at": null,
	"sha1_hash": "76756c0d6bfd68fcfa0ccb25f459ec7eee562459",
	"title": "Threat spotlight: WastedLocker, customized ransomware | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 265803,
	"plain_text": "Threat spotlight: WastedLocker, customized ransomware |\r\nMalwarebytes Labs\r\nBy Pieter Arntz\r\nPublished: 2020-07-09 · Archived: 2026-04-05 18:36:02 UTC\r\nWastedLocker is a new ransomware operated by a malware exploitation gang commonly known as the Evil Corp\r\ngang. The same gang that is associated with Dridex and BitPaymer.\r\nThe attribution is not based on the malware variants as WastedLocker is very different from BitPaymer. What was\r\nkept was the ability to add specific modules for different targets.\r\nThe attacks performed using WastedLocker are highly targeted at very specific organizations. It is suspected that\r\nduring a first penetration attempt an assessment of active defenses is made and the next attempt will be\r\nspecifically designed to circumvent the active security software and other perimeter protection.\r\nThe ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name\r\nand the string “wasted”.\r\nFor each encrypted file, the attackers create a separate file that contains the ransomware note. The ransom note has\r\nthe same name as the associated file with the addition of “_info”.\r\nThe ransom demands are steep, ranging from $500,000 to over $10 million in Bitcoin. Given that the operators\r\nmake every effort to go after any backups, some organizations may feel the need to pay up. Where other\r\nransomware operators are adding the exfiltration and even auction of stolen data to their arsenal, the Evil Corp\r\ngang has shown no inclination in that direction yet.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/\r\nPage 1 of 4\n\nHistorically the Evil Corp gang targets mostly US organizations and it looks like they are staying on that track\r\nwith a few victims in Europe. The main players in the group are believed to be Russian.\r\nThe importance of offline backups\r\nIn general, we can state that if this gang has found an entrance into your network it will be impossible to stop them\r\nfrom encrypting at least part of your files. The only thing that can help you salvage your files in such a case is if\r\nyou have either roll-back technology or a form of off-line backups. With online, or otherwise connected backups\r\nyou run the chance of your backup files being encrypted as well, which makes the whole point of having them\r\nmoot. Please note that the roll-back technologies are reliant on the activity of the processes monitoring your\r\nsystems. And the danger exists that these processes will be on the target list of the ransomware gang. Meaning that\r\nthese processes will be shut down once they gain access to your network.\r\nAs you may have noticed this is a very sophisticated and highly targeted type of ransomware. Which means that,\r\ngiven the ransom demands, most of the affected companies will have a dedicated cyber- security department. It is\r\nimperative that this staff is alert on the early warning signs of these attacks which may be indicated by breach\r\nattempts. At later stages more disruptive actions may be taken, such as disabled security software, dropped files,\r\nand deleted backups\r\nUnlike other ransomware operators Evil Corp does not exfiltrate stolen data and publish or auction the data that\r\nbelong to “clients” that are unwilling to pay the ransom.\r\nInfection details\r\nOne of the methods found to date is the usage of fake software update alerts embedded in existing websites.\r\nThe malware from these websites is a penetration testing and exploration kit designed to create a foothold and\r\ngather information about the network. Historically Evil Corp has targeted file servers, database services, virtual\r\nmachines, and cloud environments.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/\r\nPage 2 of 4\n\nOnce the exploration phase has completed the gang will drop the ransomware on the compromised systems.\r\nThe ransomware itself is custom built for each client so there is nothing to be gained by doing a full analysis. The\r\nattacks do have some commonalities though which we will discuss here.\r\nDeletes shadow copies, which are the default backups made by the Windows OS.\r\nThe main executable for the ransomware is copied to the system folder and gets elevated permissions\r\nA service is created that runs during encryption.\r\nDuring encryption the encrypted files are renamed, and the ransom notes are created.\r\nA log file is created that lists the number of targeted files, the number of encrypted files, and the number of\r\nfiles that were not encrypted due to access rights issues.\r\nThe service is stopped and deleted.\r\nOverview\r\nWastedLocker has been actively deployed since May 2020.\r\nEvil Corp behind: this group previously associated to the Dridex malware\r\nand BitPaymer aka IEcrypt aka FriedEx aka WastedLocker.\r\nEvil Corp has been using WastedLocker to request ransoms in the range of millions of USD, with some\r\ndemands going above $10 million.\r\nWastedLocker replaces BitPaymer in the group’s operations.\r\nTechnically, WastedLocker does not have much in common with BitPaymer\r\nThe ransomware name is derived from the filename it creates which includes an abbreviation of the\r\nvictim’s name and the string ‘wasted’. \r\nEncrypted files extension is set according to the targeted organisations name along with the prefix wasted\r\nExample: test.txt.orgnamewasted (encrypted data) and test.txt.orgnamewasted_info (ransomware note)\r\nNo data theft and no leak site.\r\nEach ransomware victim has a custom build configured or compiled for them.\r\nNote contains: Protonmail and Tutanota email domains, as well as Eclipso and Airmail email addresses.\r\nThe email addresses listed in the ransom messages are numeric – usually 5 digit numbers.\r\nInfection highlights\r\nDelete shadow copies\r\nCopy the ransomware binary file to %windir%system32 and take ownership of it (takeown.exe /F filepath)\r\nand reset the ACL permissions. In other cases an Alternate Data Stream (ADS) is used as a means to run\r\nthe ransomware processes.\r\nCreate and run a service. The service is deleted once the encryption process is completed.\r\nIOC’s\r\n*wasted and *wasted_info filenames for encrypted files and the ransom notes\r\nBasic layout of the content of the ransom note:\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/\r\nPage 3 of 4\n\n*ORGANIZATION_NAME*\r\nYOUR NETWORK IS ENCRYPTED NOW\r\nUSE *EMAIL1* | *EMAIL2* TO GET THE PRICE FOR YOUR DATA\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\nDO NOT RENAME OR MOVE THE FILE\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]*[end_key]\r\nKEEP IT\r\nThe email addresses are usually numeric and 5 digits, one at Protonmail and the other at Airmail, but we have also\r\nseen Tutanota and Eclipso email addresses.\r\nMalwarebytes detection\r\nMalwarebytes detects WastedLocker ransomware as Ransom.BinADS.\r\nStay safe everyone!\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/"
	],
	"report_names": [
		"threat-spotlight-wastedlocker-customized-ransomware"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434751,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76756c0d6bfd68fcfa0ccb25f459ec7eee562459.pdf",
		"text": "https://archive.orkl.eu/76756c0d6bfd68fcfa0ccb25f459ec7eee562459.txt",
		"img": "https://archive.orkl.eu/76756c0d6bfd68fcfa0ccb25f459ec7eee562459.jpg"
	}
}