Threat behavior of Ransom:Win32/WastedLocker
Threat behavior of Ransom:Win32/WastedLocker: Arrival Operators typically deploy WastedLocker on enterprise networks during a breach. In one campaign, operators lure users into downloading a fake web browser update. When a user launches a JavaScript in the fake .zip update, it runs a malicious code that eventually allows campaign operators to deploy Cobalt Strike, escalate privileges, move laterally to other devices, obtain domain admin access to the target device, and deliver the ransomware payload using the “ PSEXESVC.exe ” tool. Initialization When launched, this ransomware collects information about the device and identifies files for encryption. Turns off antivirus software Attackers use the PSEXESVC tool to turn off Microsoft Defender and its related activities like scanning downloaded files. Bypasses user account control This ransomware bypasses user account control (UAC) by using the system file, winsat.exe to load a versi...