WastedLocker has been around since May 2020, creating enormous damage to many organizations, some of them are part of the US Fortune 500. The last highly mentioned in the media WastedLocker victim was Garmin, which suffered for a few days from interruption to their online services.
The common recommendations for mitigating this attack include:
- Schedule backups.
- Incorporate Known IOCs into IDS.
- Use malware monitoring.
- Update and patch consistently.
It is pretty straight forward why these actions should help mitigating attacks such as WastedLocker, but we would like to present hardening actions for organizations to take, to prevent attacks such as WastedLocker, and any other that uses similar flows.
First, let’s understand the attack flow.
WastLocker attack flow in 15 steps:
- The first step of the attack is using SocGholish- a malicious JavaScript framework that pretenses to be a software update. The SocGholish framework is delivered in a zipp file via compromised websites.
- A second javaScript is executed by wscript.exe. It profiles whether the computer uses commands such as whoami, net user and net group and then uses PowerShell to download discovery related PowerShell scripts.
- The attacker gains access to the victim's network and uses Coblat Strike malware. He uses PowerShell to download and execute a loader. This loader also shares Command and Control domain with the Coblat Strike infrastructure. The loader also contains a .NET injector (which apparently taken from an open-source project called Donut). The injector is used to help inject and execute in-memory playloads.
- The playload injected is known as Coblat Strike Beacon and can be used to execute commands, inject processes, elevate current processes, impersonate other processes, and upload or download files.
- The GetNetComputer command from PowerView is renamed by the attack to a random name.
- The attacker searches using the GetNetComputer command to search for all the computer objects that have filter conditions, such as servers, to get servers instances in return.
- The attacker logs this information in a .tmp file.
- The attacker uses a known method to escalate his privileges. This method involves slui.exe- a Windows command-line utility that's responsible for activating and updating the Windows operating system.
- The attacker uses the Windows Management Instrumentation Command Line (wmic.exe) to execute the command on remote computers. He adds a new user and executes additional downloaded PowerShell scripts.
- Coblat Strike is being used again to carry put credential dumping and to empty log files.
- The attacker now deploys the ransomware. He uses the Windows Sysinternal tool PsExec to launch a legitimate command-line tool for managing Windows Defender.
- The Windows Defender (mpcmdrun.exe) is used to disable scanning of downloaded files and attachments, remove installed definitions, and disable real-time monitoring. It is possible that the attacker uses more than one technique to perform this task.
- The attacker uses PsExec to launch PowerShell, which uses the win32_service WMI class to retrieve services. He also uses the net stop command to stop these services.
- After the attacker has disabled Windows Defender, and other services across the organization, he uses PsExec to launch the WastedLocker ransomware.
- WastedLocker ransomware encrypts the organization's data and deletes shadow volumes.
Hardening actions that can stop WastedLocker:
- Restrict PowerShell- the attacker used PowerShell to download encryption files from a remote location. Restricting PowerShell can almost completely prevent the attacker's ability to download and spread the malicious code.
- Restrict Wscript and wmic
- Activate and harden User Access Control (UAC) in every level- UAC is an integral component in every operating system these days. It is highly important for network security, but organizations often find it makes the OS less comfortable to use, thereby they tend to disable it. Disabling UAC dramatically decrease security posture. The UAC restricts admin commands and tools, thereby disabling it will allow attacker to use command such as vssadmin and takeown to delete the system state (and prevent the organization to restore data), or to claim ownership over files and folders.
- Harden Windows Defender components such the services- the attacker disabled some of the Windows Defender's components that are used as kind of an anti-virus and ATP in the operating system. Properly hardened Windows Defender could have prevented it.
- Harden and manage system tools such as Applocker and Device Guardian- these tools allows to limit the activity of other tools such as Psexec, PowerShell and JavaScript. WastedLocker attackers used Psexec to spread files and to run remote commands for system and local admin users' profiling. Disabling Psexec is not a new recommendation (although it is a Microsoft Sysinternal tool), and could have withhold the attack and control the wscript running (that run the JavaScript at the early stages of the attack).
- Harden to limit libraries that are know for being used in attacks- such as %AppData%, %AppData%\Roaming, %Temp%. Limiting privileges to these libraries would have prevented writing and running files that are stored in them.
- Harden registry keys- such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control , Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg. Hardening actions should include limiting write privileges.
- Harden VSC and similar components- the attacker created extensive and prolonged damage by preventing the victim to recover the network. Hardening the VSC can limit or even prevent the attacker from deleting System State components that are used for rollbacking the system.
- Enable software restriction policies at the user level- this can prevent the attack.
NOTE! It is highly important to enforce hardening actions both on the servers and on endpoints.
