{
	"id": "bc7785d2-7587-4470-b1ae-d17f766ca3da",
	"created_at": "2026-04-06T00:19:11.409025Z",
	"updated_at": "2026-04-10T03:24:24.348932Z",
	"deleted_at": null,
	"sha1_hash": "7fc86b1b4b5b304c28651ce568311724f17b5dc3",
	"title": "WastedLocker Ransomware: Abusing ADS and NTFS File Attributes - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 861787,
	"plain_text": "WastedLocker Ransomware: Abusing ADS and NTFS File\r\nAttributes - SentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-07-23 · Archived: 2026-04-05 12:44:28 UTC\r\nBackground\r\nWastedLocker is a relatively new ransomware family which has been tracked in the wild since April/May 2020.\r\nThe name comes from the ‘wasted’ string which is appended to encrypted files upon infection. Similar to families\r\nlike Maze and NetWalker, WastedLocker has been attacking high-value targets across numerous industries. Their\r\ncampaigns have targeted several United States-based Fortune 500 companies as well.\r\nLeveraging SocGholish \u0026 Cobalt Strike\r\nPayload delivery is achieved through multiple methodologies. Once attackers have gained a foothold in the\r\ntargeted environment, Cobalt Strike is often used to directly deliver the ransomware payloads. We have also seen\r\nthe actors behind WastedLocker leverage the SocGholish framework, which is a JavaScript-based framework that\r\nallows attackers to spread malware payloads masquerading as system or software updates.\r\nThe SocGholish toolset has been observed in use with a plethora of malware campaigns since 2018. That is to say,\r\nit is not exclusive to WastedLocker. In the past, SocGholish has been used with NetSupport RAT, Lokibot, and\r\nother commodity malware types and families. Websites containing the malicious JavaScript code can then be used\r\nto deliver the malware once users are enticed into visiting the site(s).\r\nOnce victims have been compromised via SocGholish, Cobalt Strike is used to laterally move as well as gain\r\nadditional profile data on the targeted hosts or environment. Prior to delivering the WastedLocker payload,\r\nattackers typically disable core Windows Defender features, as well as deleting Volume Shadow Copies.\r\nAdditional LOTL-style tools are also often observed in the campaigns. For example, in some cases PsExec will be\r\nused to initiate the launch of the WastedLocker ransomware. PowerShell and WMIC are also sometimes utilized\r\nin profiling and tuning the environment.\r\nhttps://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/\r\nPage 1 of 6\n\nHiding via NTFS’ Alternate Data Stream\r\nWastedLocker has an affinity for running with administrative privileges. If the payload is executed with non-administrative permissions, it will attempt to elevate privileges via UAC bypas (Mocking Trusted Directories).\r\nOnce elevated, the ransomware will write a copy of a random file from System32 to the %APPDATA% directory.\r\nThe newly copied file will have a random and hidden filename. This process allows for the ransomware to copy\r\nitself into the file by way of an alternate data stream (ADS).\r\nThis is followed by the creation of a new folder in %TEMP% which contains copies of WINMM.DLL and\r\nWINSAT.EXE. The %TEMP% copy of WINMM.DLL is then leveraged to execute the ransomware from the\r\npreviously generated alternate data stream.\r\nWastedLocker Encryption Routine\r\nThe encryption style does not differ significantly from other prominent ransomware families. WastedLocker will\r\nattempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives. Once\r\nthe eligible drives are located, the ransomware will begin the encryption process.\r\nAll file types are potential candidates for encryption; however, the ransomware does contain a ‘whitelist’ of sorts,\r\nwith directories and extensions to exclude from encryption. This functionality can vary across campaigns. Files\r\nare encrypted via AES (Cipher Block Chaining mode + IV / Initialization Vector) with keys generated for each\r\nencrypted file. The AES keys (+IV) are then encrypted using a RSA-4096 public key.\r\nThe ransom notes contain a base64 representation of the RSA public key. Encrypted files will be renamed with a\r\ncombination of the targeted companies name along with the string “wasted”. For example, if the non-existent\r\nhttps://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/\r\nPage 2 of 6\n\ncompany “Turbo Chicken Audio” were infected, the files would look something like\r\n“file.pdf.turbochickenaudiowasted’ (from file.pdf). The example below shows a set of encrypted files post-infection (partially redacted for privacy).\r\nFor each encrypted file, an additional file will be created with “_info” appended to the end of the file extension.\r\nThese individual files are the ransom notes. Each ransom note also contains the company/target name and an\r\nencoded copy of the public key specific to the host. This is in addition to very limited instructions on how to\r\nengage the attackers and potentially “get the price for” the encrypted data. Victims are instructed to email the\r\nattackers for further instructions.\r\nThe email addresses provided are associated with public, secure, email providers (ex: ProtonMail, Eclipso,\r\nTutanota, and Airmail). An example ransom note is below (partially redacted for privacy).\r\nhttps://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/\r\nPage 3 of 6\n\nAdditional Details\r\nIt is also important to note that some analyzed samples support specific command-line parameters. The following\r\nare examples of supported parameters:\r\n-p (path) Encrypt specified folder/directory before continuing to the rest of the drive/device\r\n-r Multi-Purpose: Delete VSS, create a copy of the payload in SYSTEM32, create the ransomware’s service\r\nentry and execute\r\n-f (path) Only encrypt file in the specified directory/folder\r\nMost samples analyzed execute with the -r parameter by default, such as:\r\nC:UsersadminxAppDataRoamingNetwork:bin -r\r\nPersistence is achieved via system service. However, the service is removed once the encryption process has\r\ncompleted. Additional tools are used to manipulate the file system and suppress any requests for user input and/or\r\nconfirmation. For example, choice.exe is leveraged to set file attributes as well as delete files (the service\r\nexecutable) when needed.\r\nExample:\r\ncmd.exe (choice.exe) /c choice /t 10 /d y \u0026 attrib -h \"C:UsersxxxxxxAppDataRoamingIndex\" \u0026 del\r\n\"C:UsersxxxxxxAppDataRoamingIndex\"\r\nExample:\r\ncmd.exe (choice.exe)\" \u0026 del \"C:UsersxxxxxMusicwastlock_5.exe\"\r\nhttps://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/\r\nPage 4 of 6\n\nUpon launching, and as part of the -r parameter, the ransomware process has to take ownership of the copy of\r\nthe payload dropped into SYSTEM32. This is achieved via commands similar to the following:\r\ntakeown.exe /F C:Windowssystem32Setup2.exe\r\nBasic VSSADMIN commands are used for deletion of Volume Shadow copies; for example:\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nConclusion\r\nWastedLocker is just one more example of the highly-aggressive ransomware families following in the footsteps\r\nof REvil, NetWalker, and others. Prevention, in these attacks, is absolutely critical. Stopping the attackers before\r\nthey gain any traction is the most effective way to protect you and your sensitive data. This will especially be true\r\nshould the actors behind WastedLocker decide to leak the data of their victims. SentinelOne’s Endpoint Protection\r\nand Singularity platform are the most robust and powerful tools at the disposal of today’s defenders.\r\nIndicators \u0026 IOCs\r\nMITRE ATT\u0026CK\r\nHide Artifacts: Hidden Files and Directories T1564\r\nHide Artifacts: NTFS File Attributes T1564\r\nSystem Services: Service Execution T1569\r\nAbuse Elevation Control Mechanism: Bypass User Access Control T1548\r\nNative API T1106\r\nCommand and Scripting Interpreter T1059\r\nFile Permissions Modification T1222\r\nCommand-Line Interface T1059\r\nData Encrypted for Impact T1486\r\nInhibit System Recovery T1490\r\nHashes SHA256\r\ned0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3\r\ne3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb\r\nbcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8\r\naa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772\r\n9056ec1ee8d1b0124110e9798700e473fb7c31bc0656d9fc83ed0ac241746064\r\n8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80\r\n887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d\r\n97a1e14988672f7381d54e70785994ed45c2efe3da37e07be251a627f25078a7\r\n85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb\r\n7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a\r\n5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367\r\nhttps://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/\r\nPage 5 of 6\n\nHashes SHA1\r\n9292fa66c917bfa47e8012d302a69bec48e9b98c\r\nbe59c867da75e2a66b8c2519e950254f817cd4ad\r\n70c0d6b0a8485df01ed893a7919009f099591083\r\n4fed7eae00bfa21938e49f33b7c6794fd7d0750c\r\n763d356d30e81d1cd15f6bc6a31f96181edb0b8f\r\ne13f75f25f5830008a4830a75c8ccacb22cebe7b\r\nb99090009cf758fa7551b197990494768cd58687\r\n809fbd450e1a484a5af4ec05c345b2a7072723e7\r\ne62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07\r\n91b2bf44b1f9282c09f07f16631deaa3ad9d956d\r\nf25f0b369a355f30f5e11ac11a7f644bcfefd963\r\nSource: https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/\r\nhttps://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/"
	],
	"report_names": [
		"wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434751,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7fc86b1b4b5b304c28651ce568311724f17b5dc3.pdf",
		"text": "https://archive.orkl.eu/7fc86b1b4b5b304c28651ce568311724f17b5dc3.txt",
		"img": "https://archive.orkl.eu/7fc86b1b4b5b304c28651ce568311724f17b5dc3.jpg"
	}
}