Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
WastedLocker: technical analysis
WastedLocker: technical analysis
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 15,681
Threads: 10,072
Thanks Received: 9,284 in 7,430 posts
Thanks Given: 10,193
Joined: 12 September 18
#1
Bug  01 August 20, 10:29
Quote:
[Image: sl_WastedLocker_02.png]

The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often.

On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the downtime was a cybersecurity incident involving data encryption. The situation was so dire that at the time of writing of this post (7/29) the operation of the affected online services had not been fully restored.

According to currently available information, the attack saw the threat actors use a targeted build of the trojan WastedLocker. An increase in the activity of this malware was noticed in the first half of this year.

We have performed technical analysis of a WastedLocker sample.

Command line argumentsIt is worth noting that WastedLocker has a command line interface that allows it to process several arguments that control the way it operates.

 -p

Priority processing: the trojan will encrypt the specified directory first, and then add it to an internal exclusion list (to avoid processing it twice) and encrypt all the remaining directories on available drives.

 -f

Encrypt only the specified directory.

 -u username:password \\hostname

Encrypt files on the specified network resource using the provided credentials for authentication.

 -r

Launch the sequence of actions:
  1. Delete ;
  2. Copy to %WINDIR%\system32\.exe using a random substring from the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  3. Create a service with a name chosen similarly to the method described above. If a service with this name already exists, append the prefix “Ms” (e.g. if the service “Power” already exists, the malware will create a new one with the name “MsPower”). The command line for the new service will be set to “%WINDIR%\system32\.exe -s”;
  4. Start this service and wait until it finishes working;
  5. Delete the service.
 -s:

Start the created service. It will lead to the encryption of any files the malware can find.
...
Continue Reading
Find
Reply


Messages In This Thread
WastedLocker: technical analysis - by harlan4096 - 01 August 20, 10:29

Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
uBOLite 2026.111.1925 (already available...
uBOLite 2026.111.1...harlan4096 — 11:38
GFYI [Official] AIDA64 Extreme 2025 Chr...
Winners,  Check y...jasonX — 09:58
Windows 11 Insider Build 26220.7535 Adds...
Microsoft has rele...harlan4096 — 08:31
10 Software Tweaks To Make an Old Window...
Older Windows lapt...harlan4096 — 08:29
iOS 26 Adds Call Screening That Effectiv...
Apple has added a ...harlan4096 — 08:28

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (50)theoldevext
avatar (45)algratCep
avatar (50)Qlaude2Sap
avatar (51)Josepharelf
avatar (40)kholukrefar
avatar (49)Lauraimike
avatar (51)WilsonWag
avatar (49)StevenPiole
avatar (40)zetssToomy
avatar (47)GornOr
avatar (50)Jamesmog
avatar (38)opeqyrav
avatar (38)ivanoFloom
avatar (41)uxegihor

[-]
Online Staff
There are no staff members currently online.

>