The activity was reviewed by Symantec’s Threat Hunter team (part of Symantec’s Endpoint Security Complete offering) who verified it and quickly realized it corresponded closely to publicly documented activity seen in the early stages of WastedLocker attacks. The attacks were proactively detected on a number of customer networks by Symantec’s Targeted Attack Cloud Analytics, which leverages advanced machine learning to spot patterns of activity associated with targeted attacks. Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers. The attacks begin with a malicious JavaScript-based framework known as SocGholish, tracked to more than 150 compromised websites, which masquerades as a software update. Two Russian men who are alleged to be involved in the group have open indictments against them in the U.S. Evil Corp has previously been associated with the Dridex banking Trojan and BitPaymer ransomware, which are believed to have earned their creators tens of millions of dollars. WastedLocker has been attributed to the notorious “Evil Corp” cyber crime outfit. WastedLocker is a relatively new breed of targeted ransomware, documented just prior to our publication by NCC Group, while Symantec was performing outreach to affected networks. The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks. At least 31 customer organizations have been attacked, meaning the total number of attacks may be much higher. The end goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion dollar ransom. companies by attackers attempting to deploy the WastedLocker ransomware (Ransom.WastedLocker) on their networks.
Symantec, a division of Broadcom, has identified and alerted our customers to a string of attacks against U.S. Symantec has notified the company and it has now removed the malicious code.
Some of the organizations targeted by WastedLocker could have been compromised when an employee browsed the news on one of its websites.
newspaper websites owned by the same parent company have been compromised by SocGholish injected code. UPDATE June 30: Further investigation by Symantec has confirmed dozens of U.S.
0 kommentar(er)
