WastedLocker ransomware has garnered attention in recent weeks after an attack on Garmin Inc., a leading provider of "GPS navigation and wearable technology to the automotive, aviation, marine, outdoor and fitness markets". The attack resulted in many Garmin Inc. services being suspended, to the frustration of customers globally. WastedLocker was first detected in May 2020, and believed to be related to Evil Corp, a hacking group which adopts a highly targeted strategy to infiltrate high-value targets, and uses the target’s name when composing encrypted suffixes for ransomware files.

Analysis of the Ransomware Behavior

  • The ransomware uses an Alternate Data Stream (ADS) method to avoid detection.
  • The encryption process excludes some directories and suffixes, as follows:
  • File encryption includes the suffix, ”target name + wasted“, as follows:
  • Files including ransom information are generated simultaneously, with the content of the file as follows:
  • The content of the ransom information is as follows:
  • The file in the encryption process is as follows:

Ransomware Detection and Killing

  1. Sangfor's Endpoint Secure, Sangfor Next Generation Application Firewall (NGAF), Cyber Command and other security products effectively detect and defend against ransomware. Users who have deployed related products can conduct a security scan to detect ransomware, as follows: 
  2. Sangfor provides free anti-virus tools capable of detection and killing viruses, available for download here: https://page.sangfor.com/anti-bot-tool

Ransomware Protection

The Sangfor Security Team recommends that ransomware prevention should be a top priority when planning network and application security. At present, files encrypted by ransomware cannot be decrypted, making daily preventative measures all the more critical.

  1. Install patches regularly to fix vulnerabilities.
  2. Regularly perform AND test restoration of non-local backups of important data files.
  3. Don't open email attachments from unknown sources, and don't download software from unknown websites.
  4. Implement a Zero Trust policy and only allow permissions to files and directories to only those users that must have access.
  5. Change account passwords regularly, setting a strong password when doing so. Avoid using the same password for multiple platforms and programs to avoid compromising multiple accounts if credentials are stolen.
  6. If RDP is not required for business, close RDP. If a security incident occurs, use Sangfor NGAF (Next Generation Application Firewall) or the Endpoint Secure micro-isolation function to block ports like 3389 and prevent the spread of malware.
  7. Both NGAF and Endpoint Secure have anti-propagation policies for malware and ransomware. In the event of a malware infection, the firewall will enable rules 11080051, 11080027, 11080016 simultaneously, and open the anti-propagation functionality.
  8. Sangfor recommends that NGAF customers upgrade to the latest version and deploy AI-detection capabilities with Engine Zero to achieve the best defense.
  9. Detect new threats instantly and defend your system using Sangfor's cloud based Platform-X management console.
  10. Sangfor Security Services can help users quickly improve their security capabilities using hybrid "human-machine intelligence", and provide services like equipment security compliance inspection, threat hunting, and related vulnerability inspection. Ensure that risks are detected immediately and that response & mitigation strategies are updated to prevent such threats.

Finally, Using Endpoint Secure, execute a complete virus scan and system vulnerability scan on the entire network to identify and remove potential attack surfaces. Together, Sangfor Cyber Command, NGAF and Endpoint Secure can help you detect and kill ransomware and protect your intranet.

Consultation and Services

Please do not hesitate to contact Sangfor to get a free consultation and support services:

  • Telephone: +60 12711 7129 (or 7511).
  • Visit the Sangfor Community and select the "Chatbox" option on the right bottom for consultation.
  • Contact us through our contact form for more information & support.

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

QakBot Malware: Everything You Need to Know

Date : 28 Sep 2023
Read Now

Cyber Security

Elevating Visibility and Control with Sangfor Internet Access Gateway

Date : 27 Sep 2023
Read Now

Cyber Security

Space Cybersecurity: Exploring Challenges, and Opportunities

Date : 25 Sep 2023
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Sangfor Access Secure
icon notification