{"id":7611,"date":"2020-08-05T04:15:24","date_gmt":"2020-08-05T11:15:24","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7611"},"modified":"2023-07-10T14:52:30","modified_gmt":"2023-07-10T21:52:30","slug":"wastedlocker-ransomware-attack-indicators-of-compromise-iocs","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/wastedlocker-ransomware-attack-indicators-of-compromise-iocs\/","title":{"rendered":"WastedLocker Ransomware Attack: Indicators of Compromise (IOCs)"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"7611\" class=\"elementor elementor-7611\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3949114f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3949114f\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4830caad\" data-id=\"4830caad\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-669ec710 elementor-widget elementor-widget-text-editor\" data-id=\"669ec710\" data-element_type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Last week, Garmin fell prey to WastedLocker Ransomware attack. Malicious script masquerading as software updates was delivered through legitimate (but compromised) websites.<\/p><blockquote><p dir=\"ltr\">We have put together a list of compromised\u00a0 websites, IOCs, IP addresses, hashes, that were used to target Garmin. We recommend that you update your IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) to avoid visiting these sites.<\/p><\/blockquote><p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrDQRUoEaiK0mqXy?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p><p><span style=\"font-size: 11px;\"><strong>Courtesy<\/strong>:\u00a0Symantec, nccgroup, Sentinel One, Cyberswachtakendra, IBM\u00a0<\/span><\/p><h3><strong>Ransomware attack on Garmin<\/strong><\/h3><p dir=\"ltr\">On July 23, WastedLocker ransomware attacked Garmin, a global fitness wearable device company causing a five-day outage to its product users and call centers. Garmin\u2019s website, mobile applications, and weather services applications were down, causing widespread disruption and chaos.<\/p><p dir=\"ltr\">WastedLocker, a dangerous ransomware used by the Russian gang named Evil Corp targets US and European organizations and was earlier associated with Dridex, and BitPaymer ransomware attacks.<\/p><h3><strong>Attack methodology\u00a0<\/strong><\/h3><p>The attack was highly customized because the ransomware was delivered through legitimate websites that have been compromised.<\/p><ol><li role=\"listitem\" aria-setsize=\"-1\" data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-listid=\"3\">First, they conduct an initial penetration to assess the active defenses of the target a<\/li><li role=\"listitem\" aria-setsize=\"-1\" data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-listid=\"3\">Next, they tailored their second attempt to bypass security software and other defenses.<\/li><li role=\"listitem\" aria-setsize=\"-1\" data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-listid=\"3\">Once the ransomware is unleashed, it encrypts the files and adds a ransom note for each file.<\/li><li role=\"listitem\" aria-setsize=\"-1\" data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-listid=\"3\">If you wish to retrieve your data, you will need to pay the ransom.<\/li><\/ol><h3 dir=\"ltr\"><img decoding=\"async\" style=\"width: 750px; height: 457px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/wasted-locker-attack-methodology_final.png\" alt=\"\" \/><\/h3><h3 dir=\"ltr\"><strong>How to avoid WastedLocker attack?<\/strong><\/h3><p dir=\"ltr\">WastedLocker ransomware began its attack through 150 compromised websites that were disguised as software updates. Securin analysts have put together a list of domains that have been compromised. We recommend that you add them to your IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) to avoid downloading malicious scripts that would trigger this attack. (<strong>Note<\/strong>: Scroll up to download this list)<\/p><p dir=\"ltr\">The following protection protocols can be activated in your systems\/devices to protect against this ransomware &#8211;<\/p><p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrTfDcVBFdI6xcAv?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p><p>Over seven scanners are not detecting this ransomware. You can check them out <a href=\"https:\/\/www.virustotal.com\/gui\/file\/887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d\/detection\" target=\"_blank\" rel=\"noopener\">here<\/a>\u00a0and switch to applications that do.<\/p><p>With ransomware attacks becoming more frequent and sophisticated in its payload, we believe that basic knowledge about email phishing and conducting awareness programs about cybersecurity is the need of the hour.\u00a0And where this specific ransomware is concerned, having backup data in a non-connected environment would keep you safe.<\/p><p><img decoding=\"async\" class=\"aligncenter\" style=\"width: 500px; height: 1353px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/wasted-locker-infographic-final-version_v2.png\" alt=\"\" \/><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Evil Corp used compromised legitimate websites to deliver ransomware in Garmin\u2019s environment. The attack caused a 5-day outage for their product users. CSW Analysts have put together a list of domains, hashes, IOCs that have been compromised. Download the list to update your IPS\/IDS and avoid being attacked.<\/p>\n","protected":false},"author":1,"featured_media":7612,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[82,80,81,117],"tags":[368,365,91,367,366],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7611"}],"collection":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/comments?post=7611"}],"version-history":[{"count":6,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7611\/revisions"}],"predecessor-version":[{"id":18769,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7611\/revisions\/18769"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media\/7612"}],"wp:attachment":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media?parent=7611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/categories?post=7611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/tags?post=7611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}