A Major Ransomware Attack Is Uncovered: How Can Employers Avoid These In The Future?

Symantec recently uncovered a plan for a large-scale cyberattack targeting dozens of U.S. corporations using WastedLocker ransomware.

The cybercriminals had already "breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks." At least 31 customer organizations are known to have been attacked, and experts believe the total number of attacks is much higher.

All of the identified targeted organizations are located in the U.S., and most of them are major corporations. They represented a diverse range of sectors including manufacturing, information technology, as well as media and telecommunications. At least eight of them were Fortune 500 companies.

The goal of the cybercriminals was to encrypt most of the computers and servers of the targeted organization, making their information technology infrastructure inoperable. The cybercriminals would then demand a multimillion-dollar ransom.

WastedLocker is a relatively new type of targeted ransomware. It masquerades as a software update by using SocGholish, a malicious JavaScript-based framework, that has been found on more than 150 compromised websites.

After the cybercriminals access the victim's network, they use Cobalt Strike commodity malware along with other tools to "steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers." The attack also used the Windows Management Instrumentation Command Line Utility (wmic.exe) to execute commands on remote computers.

The "Evil Corp" cybercrime outfit, which is associated with the Dridex banking Trojan and BitPaymer ransomware, has been credited with creating WastedLocker. Evil Corp has likely netted tens of millions of dollars from their previous two campaigns. "WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations" symantec-enterprise-blogs.security.com (Jun. 25, 2020).

Commentary

In WastedLocker attacks, as in many other cyberattacks, organizations are compromised initially by a zipped file delivered via a compromised legitimate website.

Symantec discovered at least 150 legitimate websites that were redirecting traffic to websites hosting the malicious SocGholish zip file. Often, multiple cybercriminals use the same redirection services, meaning the websites could lead to a variety of malware.

Training is not enough to protect employees from this type of risk, because it is not caused by them clicking on a malicious link or visiting a known unsafe website. As far as they know, they are on a legitimate, safe website and may have even been careful to type in the correct address themselves.

Strong cybersecurity software is also essential to protect against attacks that hijack a legitimate website to redirect users to a malicious one. To reduce the risk of a URL redirect attack, equip all devices and computers with a quality anti-phishing browser extension and anti-virus software. In addition, require all employees to keep their web browser up to date.

Anti-phishing browser extensions can prevent the malicious website from loading after a user is redirected from a legitimate site. This is useful tool in the cybersecurity software toolkit that should not be overlooked. Remind employees that browser updates often contain patches to prevent cybercriminals from exploiting known vulnerabilities and to always install them as soon as they are available. 

Training is important to keep employees from downloading an unsafe file after they are redirected. In the case of WastedLocker, the zipped file contained a malicious JavaScript that claimed to be a browser update. Train employees to never allow an update in response to a window that pops up when they visit a website.

Finally, your opinion is important to us. Please complete the opinion survey:

News

Are Your Employees Ransomware Ignorant?

A new survey suggests that many employees don't know what ransomware is or how to avoid it. Read tips for protecting your organization and its data. Read More

New Vulnerabilities Are Emerging: Addressing Multi-Vector Attacks Now Is Important

Cybercriminals are using more sophisticated techniques, including attacking Macs and multi-vector attacks. Learn what steps can prevent such attacks. Read More

Cyber Awareness Leads To Better Cybersecurity

Employers must stress cybersecurity practices for teleworking employees. We examine. Read More