See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners


Brought to you by Cynet's CyOps Center

Cynet's 24/7 MDR with the latest security updates and reports

Learn more about CyOps

Network Attacks and Exfiltration

Credential Access & Data Collection

Initial Access and Fileless Attacks

Ransomware Threat Reports

Threat Reports



Evasion techniques

Threat Detection Report: Wastedlocker Ransomware

Written by: Moar Huli, Eran Yosef, & Amit Martsiano

Threat Overview

WastedLocker is a ransomware operated by a malware exploitation gang, commonly known as the ‘Evil Corp gang.’ The same gang that is associated with Dridex and BitPaymer.

WastedLocker does not share the same traits as other malware variants from ‘Evil Corp gang’ however it has kept the ability to add specific modules for different targets

The attacks performed using WastedLocker are targeted at US based organizations.

It is suspected that during the first penetration attempt, an assessment of active defenses is made, and the next attempt is specifically designed to circumvent the existing security software and other perimeter protection.

The ransomware name is derived from the filename it creates, which includes an abbreviation of the victim’s name and the string “wasted.”

For each encrypted file, the attackers create a separate file that contains the ransomware note. The ransom note has the same name as the associated file with the addition of “_info.”

Cynet Detection

These are the alerts that were triggered when we ran the ransomware:

1. Malicious Process Command [ADT Mechanism]:

This alert trigger when Cynet detects a CMD process that executes a command that contains suspicious arguments or is associated with malicious patterns.

In this case, an attempt to delete vssadmin shadow copies triggered an alert. Shadow copies are one of the most valuable targets of ransomware.

2. Unauthorized Memory Access Attempt [Driver Mechanism]:

This alert informs the customer that there was an attempt by a particular process to access a forbidden memory location of another process. The alert also describes what permissions the accessing process requested and permissions that Cynet granted the process to use.

In our case, the ransomware tried to access the memory of vssadmin.exe to executes this command: “C:\WINDOWS\system32\vssadmin.exe Delete Shadows /All /Quiet”

This is a standard ransomware activity, in which the malicious actors are trying to delete the shadow copies of the infected machine.

3. Ransomware Heuristic [ADT Mechanism]:

This alert triggers when Cynet detects suspicious behavior, which can be associated with Ransomware (such as changing file extensions to “.Lock”).

Once the file starts to encrypt the files with their extension [ “.d2lwasted_info”] – A ransomware heuristic alert is triggered.

4. Malicious Binary [ADT Mechanism]:

This alert trigger when Cynet detects a file that is flagged as malicious in Cynet’s EPS (endpoint scanner) built-in threat intelligence database. This database contains only critical IoCs (such as IOCs of ransomware, hacking tools, etc.).

Once we executed the ransomware – A Malicious Binary alert is triggered for the malicious file [sample.exe]:

5. File incidents (“Trojan!gen”, “CoinMiner,” PUA! Getn, etc.):

The Cynet agent scans for binary files on protected endpoints. Every file is analyzed by Cynet mechanisms and is given a score. If the file is flagged as “suspicious” (according to pre-defined patterns), the file’s metadata is sent to the Cynet CyOps team. The CyOps analysts manually classify the files after analyzing the file’s metadata.

File Execution:

After execution, the ransomware created several executables and used legitimate Windows programs:

The ransomware note:

The extension of the encrypted files is “.d2lwasted_info”:

CyOps (Cynet Security Operations Center)

The Cynet CyOps is available to clients for any issues 24/7, questions, or comments related to Cynet 360. For additional information, you may contact us directly at:

Phone (US): +1-347-474-0048

Phone (EU): +44-203-290-9051

Phone (IL): +972-72-336-9736

CyOps Email: [email protected]