Real World Risk Management Practical HR Resources
Are you a new user?

print   email   Share

A Major Ransomware Attack Is Uncovered: How Can Employers Avoid These In The Future?

Symantec recently uncovered a plan for a large-scale cyberattack targeting dozens of U.S. corporations using WastedLocker ransomware.

The cybercriminals had already "breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks." At least 31 customer organizations are known to have been attacked, and experts believe the total number of attacks is much higher.

All of the identified targeted organizations are located in the U.S., and most of them are major corporations. They represented a diverse range of sectors including manufacturing, information technology, as well as media and telecommunications. At least eight of them were Fortune 500 companies.

The goal of the cybercriminals was to encrypt most of the computers and servers of the targeted organization, making their information technology infrastructure inoperable. The cybercriminals would then demand a multimillion-dollar ransom.

WastedLocker is a relatively new type of targeted ransomware. It masquerades as a software update by using SocGholish, a malicious JavaScript-based framework, that has been found on more than 150 compromised websites.

After the cybercriminals access the victim's network, they use Cobalt Strike commodity malware along with other tools to "steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers." The attack also used the Windows Management Instrumentation Command Line Utility (wmic.exe) to execute commands on remote computers.

The "Evil Corp" cybercrime outfit, which is associated with the Dridex banking Trojan and BitPaymer ransomware, has been credited with creating WastedLocker. Evil Corp has likely netted tens of millions of dollars from their previous two campaigns. "WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations" (Jun. 25, 2020).


In WastedLocker attacks, as in many other cyberattacks, organizations are compromised initially by a zipped file delivered via a compromised legitimate website.

Symantec discovered at least 150 legitimate websites that were redirecting traffic to websites hosting the malicious SocGholish zip file. Often, multiple cybercriminals use the same redirection services, meaning the websites could lead to a variety of malware.

Training is not enough to protect employees from this type of risk, because it is not caused by them clicking on a malicious link or visiting a known unsafe website. As far as they know, they are on a legitimate, safe website and may have even been careful to type in the correct address themselves.

Strong cybersecurity software is also essential to protect against attacks that hijack a legitimate website to redirect users to a malicious one. To reduce the risk of a URL redirect attack, equip all devices and computers with a quality anti-phishing browser extension and anti-virus software. In addition, require all employees to keep their web browser up to date.

Anti-phishing browser extensions can prevent the malicious website from loading after a user is redirected from a legitimate site. This is useful tool in the cybersecurity software toolkit that should not be overlooked. Remind employees that browser updates often contain patches to prevent cybercriminals from exploiting known vulnerabilities and to always install them as soon as they are available. 

Training is important to keep employees from downloading an unsafe file after they are redirected. In the case of WastedLocker, the zipped file contained a malicious JavaScript that claimed to be a browser update. Train employees to never allow an update in response to a window that pops up when they visit a website.

Finally, your opinion is important to us. Please complete the opinion survey:

Credential Stuffing: A Singular Reason Why You Need To Have Different Passwords For Your Accounts

The FBI warns businesses of the growing threat of compromised login credentials. User password behavior is a big part of the cause. We examine.

read more

Is Having A "Gold Image" The Key To Defeating Ransomware?

A hospital employer says a cyberattack led to the death of a patient. Read how quality backups keep clients safe and allow you to say "no" to paying cybercriminals.

read more

Cybersecurity Training Remains Important Even In Lockdowns

Minimizing administrator privileges and conducting annual training are two ways to keep data safe. Learn more.

read more

Watch Out For Phishing Emails Claiming Layoffs And Other COVID-Related Topics

Cybercriminals are sending emails, claiming their target has been laid off, among other COVID-related phishing scams. Read how to help protect yourself.

read more