WastedLocker has been in the highlights for a successful attack on wearable tech and smartwatch manufacturer Garmin and was paid around 10 million for a decryption key. The ransomware is rumored to be working for the Russian Hacking group Evil Corp, a notorious hacking crew with numerous high profile attacks in their resume.
But the security researchers at Sophos discovered how the ransomware was using the inner workings of Windows to avoid detection by anti-ransomware tools and the method they say is quite ingenious and sophisticated.
"That's really sophisticated stuff, you're digging way down into the things that only the people who wrote the internals of Windows should have a concept of, how the mechanisms might work and how they can confuse security tools and anti-ransomware detection," Chester Wisniewski, a principal research scientist at Sophos said.
How WastedLocker uses Windows Cache to hide itself
Usually, anti-ransomware softwares monitor Operating System files for any suspicious behavior like an unknown process performing various functions like opening a file, writing to it, and then closing the file - it will trigger behavior detection and catch any malicious file. But WastedLocker, unlike other traditional ransomware stores the files on Windows Cache and operates from that file and not the original.
Windows cache to speed up processes, stores commonly used files in it so as when the system requires a command, it first checks for the file in the cache and load it from there rather than the drive making the operation much faster.
This ransomware opens a file in the Cache, read it there and close the original file. The software will now encrypt the file stored on the cache and not the original. When many changes are done on the file, the file becomes "dirty" and Windows Cache updates the original file with the changes. Since all these commands are done by a legitimate source and Windows itself - it tricks the detection software into believing the process is a system originated and legit thereby bypassing exposure.
This ability to go undetected makes WastedLocker the most lethal ransomware we have seen yet.
