How WastedLocker Evades Anti-Ransomware ToolsSophos Says Malware Designed to Avoid Security Measures
WastedLocker, a ransomware strain that reportedly shut down Garmin's operations for several days in July, is designed to avoid security tools within infected devices, according to a technical analysis from Sophos.
Sophos researchers determined the ransomware abuses the Microsoft Windows memory management feature to evade detection by security software. They also found other tools within the malware designed to make it difficult to detect, according to a research report released this week.
"WastedLocker … is cleverly constructed in a sequence of maneuvers meant to confuse and evade behavior-based anti-ransomware solutions," Sophos researchers Mark Loman and Anand Ajjan note in the report.
In June and July, several research firms published reports on WastedLocker, noting that the ransomware appears connected to the Evil Corp cybercrime group, originally known for its use of the Dridex banking Trojan. The reports also said the ransomware appears to target large enterprises with significant ransom demands (see: Evil Corp's 'WastedLocker' Campaign Demands Big Ransoms).
WastedLocker apparently was used in an attack on navigation and smartwatch maker Garmin, according to news reports, although the company has not confirmed any specifics about the July 23 incident. Garmin apparently paid a ransom to recover from a July 23 security incident that encrypted several of its systems, according to two news reports as well as expert analysis (see: Garmin Reportedly Paid a Ransom).
WastedLocker and other newer strains of ransomware are increasingly being designed to avoid detection and security tools. These so-called "survival skills" allow the malware to live in the network long enough to encrypt files, according to the Sophos report.
"Survival demands that static and dynamic endpoint protection struggle to make a determination about a file based on the appearance of its code, and that behavioral detection tools are thwarted in their efforts to determine the root cause of the malicious behavior," Loman and Ajjan write.
Sophos notes that newer crypto-locking malware families deploy obfuscation techniques, such as runtime packers, as a way to evade security software, but a few strains have taken this a step further.
WastedLocker appears to have adopted a technique similar to one used by a ransomware strain called Bitpaymer. This method of avoidance targets the Windows API functions within the memory, according to the report.
"This technique adds an additional layer of obfuscation by doing the entire thing in memory, where it's harder for a behavioral detection to catch it," the researchers explain.
WastedLocker also makes it harder for behavior-based anti-ransomware tools to keep track of what is going on by using memory-mapped I/O to encrypt a file, Sophos reports. This involves transparently encrypting cached documents in memory without causing disruptions to the disk I/O, which shields it from behavior monitoring software.
The Windows memory management feature is used to increase performance by using files or applications that are read and stored in the operating system's cached memory. To trick anti-ransomware tools, WastedLocker opens a file, caches it in memory and then closes it. "This may happen after a few minutes, but we have observed that the Cache Manager closes the handle only after several hours," the report states.
Sophos notes that tools used to monitor disk writes may not notice that ransomware is accessing a cached document because the data is served from memory instead of originating from the disk.
"WastedLocker closes the file once it has mapped a file in memory, and the victim might mistake it as an error. But the trick works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory," the researchers note.
Once the data is stored in the Windows Cache Manager, WastedLocker encrypts the file's content stored in the cache, according to Sophos. When the data stored in the cache is modified, it will be become "dirty" so that, eventually, Windows will write the encrypted cached data back to their original files and anti-ransomware software will not detect any illegitimate process.