Ever since ransomware became a major cybersecurity threat, different versions of it came out. Some were successful, some aren’t. However, this only shows that cybercriminals never stop finding ways for their evil schemes.

Just October this year, a new and more sophisticated form of ransomware called the ‘WastedLocker’ hit Boyne’s Resort’s online systems. The attack hampered their entire mainframe forcing them to disable their online booking systems which greatly affects their business.

So, what is this new ransomware? WastedLocker ransomware, just like other ransomware encrypts files on the target system rendering them unusable to its owners. In order to get the files back, the victim would have to pay the cybercriminals. WastedLocker has first been initiated by a Russian based cybercriminal group called Evil Corp. It got its name from the file extension to which the affected files are converted. For example, filename.docx will be encrypted to filename.d2lwasted_info.

All ransomware has the same goal, but they differ in how they do it. In understanding how ‘wastedlocker’ differs from other ransomware, there are a few things to know. First, WastedLocker is target-specific. This means that the malware is configured depending on the target’s current system. According to reports, attackers study their targets by executing waves of attacks to understand their defense system. They will find a weak spot and will configure the ransomware to be able to exploit it. This means that for every target, a different version of WastedLocker is used.

Second, because it is target-specific and a different version of it is sent to a target, existing antivirus definitions may have a hard time detecting this one. Antimalware programs rely on the virus definition updates they receive, meaning, the developer will teach antiviruses how previously detected malware behaves and will detect similar behavior in a system. Since ransomware will try its best to avoid detection by antimalware, antimalware programs also check the system for sequential opening, writing, and closing of files and will alert you and terminate such processes. WastedLocker uses windows cache manager to bypass detection. They will open the file, read it in the cache manager, and close the original file. Now that the data is in the cache, it will encrypt the file using the data stored in the cache. The cache is where frequently used data is stored for quick access.

Finally, WastedLocker is delivered into a system through fake software updates and malicious email links. They will pose as legit emails and update windows. WastedLocker targets small to mid-sized companies and asks for ransoms ranging from 500 thousand dollars to a million.

Again, the key to avoiding this kind of threat is vigilance and due care. Since attackers will do waves of attack to familiarize themselves with your defenses, monitoring your security system, and constantly updating them can help block attackers. Also, teaching employees about phishing emails and fake updates is crucial too. It is important that all updates are to be done by a dedicated IT team to ensure legit updates. Experts also suggest using offline backups to prevent possible cloud encryption.

TrinSecurity offers full-service consultation for disaster recovery, protection from cyber security and attacks. Contact us now – +1 (213) 257-1044.