Cybercrime , Fraud Management & Cybercrime , Ransomware

WastedLocker Ransomware Targets US Newspaper Company

Symantec: Phishing Emails Offered Fake Software Updates
WastedLocker Ransomware Targets US Newspaper Company
An alert about a Wastedlocker ransomware attack (Source: Symantec)

The cybercriminal gang behind the WastedLocker ransomware strain recently targeted dozens of newspaper websites operated by a U.S. media company, according to the security firm Symantec.

See Also: Value Drivers for an ASM Program

The gang sent phishing emails with fraudulent messages about a software update to employees of each newspaper, according to Symantec, which is a division of Broadcom. These emails contained the SocGholish fake update framework, which can deliver malicious payloads, according to Symantec’s report, which did not name the newspapers or their parent company.

The attackers apparently were attempting to infect employees' devices so they could compromise broader corporate networks and install the WastedLocker ransomware, according to the report. Symantec alerted the media company to the developing security incident, and the malicious code was removed before the full ransomware attack started.

Symantec and other security researchers have tied the crypto-locking WastedLocker malware to a cybercriminal organization called Evil Corp, which has been in operation since at least 2011 and is suspected of operating from Russia.

A recent report from NCC Group's Fox-IT said that the WastedLocker gang had recently been targeting many large enterprises and demanding ransoms of up to $1 million (see: Evil Corp's 'WastedLocker' Campaign Demands Big Ransoms).

Larger Scheme

The attacks against the newspaper websites were part of a larger campaign conducted by Evil Corp hackers that may have targeted over 30 organizations throughout the United States, according to the Symantec report. These firms include 11 publicly traded companies, eight of which are part of the Fortune 500, the report notes.

Evil Corp targeted these firms by sending phishing emails that disguised SocGholish as a software update in ZIP file format, Symantec notes.

"Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers," according to the report.

After it is successfully deployed, WastedLocker then encrypts data and deletes shadow volumes, Symantec says.

It’s unclear if any of the targeted victims paid a ransom, according to Symantec and Fox-IT.

Once reason for this sudden uptick is activity is that hackers based in Russia are taking advantage of a large number of U.S. employees who have been forced to work from home and lack many of the security protections that corporate networks offer, according to the New York Times.

Evil Corp's Ongoing Activities

Since it was spotted in 2011, Evil Corp has been targeting banks, financial institutions, retailers and other businesses in multiple countries, including the U.S.

Evil Corp has been implicated in several large-scale spam and phishing campaigns that have been used to distribute Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to security researchers.

In December 2019, two members of the cybercrime group, including the alleged ringleader, Maksim Yakubets, were indicted by the U.S. Justice Department on multiple charges (see: Two Russians Indicted Over $100M Dridex Malware Thefts).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.