On Wednesday, Sophos announced it had carried out a multi-part series on ransomware, with the first in the series concentrating on techniques that WastedLocker uses to avoid detection.
As iTWire has reported, Kaspersky researcher Fedor Sinitsyn issued a detailed report on WastedLocker last week, concentrating on its method of attacking a system and its command-line interface that allowed it to accept different arguments that controlled the way it operated.
Sinitsyn pointed out that WastedLocker had been increasingly used in the first six months of the year, with the most recent, and possibly the most attention-garnering, attack against wearable technology specialist Garmin.
They said some of the techniques mimicked those used by other ransomware known as Bitpaymer and the Dridex trojan, with hints that WastedLocker might be a derivative work or have common authors.
Anand Ajjan and Mark Loman. Courtesy Sophos
"Ransomware defences based on behaviour monitoring typically implement a mini-filter driver," the pair said. "These are kernel drivers that attach to the file system stack. Mini-filters filter I/O operations in order to keep an eye on everything that happens to files.
"For example, the well-known Process Monitor utility from Sysinternals uses a mini-filter driver to create a real-time log of file system activity. Most anti-ransomware solutions use a similar approach to keep an eye on what happens to files."
They said WastedLocker utilised a trick to make it harder for behaviour-based anti-ransomware solutions to keep track of what was going on: using memory-mapped I/O to encrypt a file.
"Although it is unnecessary for ransomware to access documents as a memory-mapped file, the method is more common nowadays, as Maze and Clop (two common Windows ransomware packages) also employ the same tactic," Loman and Ajjan said.
"This technique allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O. For behaviour monitoring, this may be a problem. Tools used to monitor disk writes may not notice that ransomware is accessing a cached document, because the data is served from memory instead of disk.
"But the kicker here is that WastedLocker is closing the file once it has mapped a file in memory. You’d think this would result in an error, but the trick actually works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory."
The two researchers said anti-ransomware solutions that correlated activity based on CreateFile and CloseFile operations would miss all the disk I/O performed by the Cache Manager in response to mapped memory operations.
"Ultimately, the Cache Manager will release its internal handle to the memory-mapped file. This may happen after a few minutes, but we have observed that the Cache Manager closes the handle only after several hours," they said.
Regarding the similarities observed between WastedLocker and Bitpaymer and the Dridex trojan, the pair said both Bitpaymer and WastedLocker abused alternate data streams in the same way. The malware found a clean system file, copied itself to the clean file’s ADS, and then executed itself as a service component of the clean file. This makes it appear that the clean file was the source of the ransomware behaviour.
And both accomplished this using the same technique: they reset the privileges of the targeted system file using icacls.exe in order to add the ADS component, and then copy the clean system file to the %APPDATA% folder.
Loman and Ajjan said Bitpaymer used the custom API resolve functions to call Windows APIs using a hash value, rather than the API function’s name. The same code was also used by Dridex malware, and was consistently seen in many earlier Bitpaymer variants. With WastedLocker, there had been a major upgrade by removing these functions.
Instead, it calls the Windows API directly in memory. This change had improved efficiency of execution without spending much time in computing the hash and calling the API dynamically.
Both ransomware packages — WastedLocker and BitPaymer — used a similar User Account Control bypass technique to elevate the clean, hijacked process to run the ransomware code (using the ADS technique mentioned). Bitpaymer added a .cmd file to the registry key (“HKCU\Software\Classes\mscfile\shell\open\command”), so that, when an elevated eventvwr.exe file was executed, it checked the registry key (by default). That, in turn, executed the .cmd file that ran the ransomware binary. WastedLocker used winsat.exe and winmm.dll to run the ransomware binary (ADS component) by patching the winmm.dll.
Over time, Bitpaymer had slowly improved its encryption method. Early variants used an RC4 key for encrypting the file content, and it further encrypted the RC4 key using a 1024-bit RSA public key. But later variants — as well as current versions of WastedLocker — made some improvements by using AES 256 bit CBC mode for encrypting the files, along with a 4096-bit RSA public key.
Both ransomware packages also encoded the key information with Base64, and stored the encoded key in the ransom note.
Loman and Ajjan said both malware packages customised the ransom note for each victim by adding the name of the organisation WastedLocker also added the name of the organisation to the ransom note file name as a prefix.
Finally, the two researchers said, WastedLocker could perform certain operations when its main executable was launched using specific arguments, as did some earlier versions of BitPaymer. Both used numbers as arguments and the numbers they both used to indicate the operation the malware was supposed to perform were the same (eg., -1 indicates the main/initial execution, -2 issues a command to copy the malware and run it using ADS, and -3 indicates that it will begin the file encryption process.
"While none of these alone, or even in combination, is enough to definitively say that, for instance, the same creator was responsible for both ransomware packages, the similarities are so striking as to raise questions about whether the malware author(s) of Bitpaymer and WastedLocker are connected in some collaborative way," Loman and Ajjan noted.