WastedLocker
WastedLocker is a ransomware family used against a variety of targets worldwide and widely linked to the Russian cybercrime group Evil Corp, also referenced in some reporting as INDRIK SPIDER or DEV-0243-associated activity. Reporting in the provided content ties WastedLocker to major incidents including the 2020 Garmin outage. The malware encrypts data and, according to one cited report, does not exfiltrate data. It has also been described as part of Evil Corp’s broader shift from banking-trojan and loader ecosystems into ransomware operations, with one source asserting its developer was also involved in the ISFB ecosystem.
Behaviorally, the content states that WastedLocker creates and establishes a Windows service that runs until encryption is complete, copies a random file from the Windows System32 directory into %APPDATA% under a hidden filename, checks specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces, enumerates removable drives prior to encryption, and deletes shadow volumes to inhibit recovery. The content also notes that WastedLocker can be deployed following SocGholish/FakeUpdates initial access activity and alongside tooling such as Cobalt Strike and NetSupport. Microsoft reporting cited in the content says DEV-0243 partnered with DEV-0206 and deployed WastedLocker before later shifting to other ransomware variants, likely to reduce attribution pressure tied to sanctions. Additional reporting says WastedLocker activity later declined and closely related variants such as Hades emerged, with one source explicitly stating Hades superseded WastedLocker to circumvent OFAC sanctions.
High-confidence associations in the content include Evil Corp attribution, use as a ransomware payload in broader intrusion chains, impact on Windows environments, removable-drive enumeration, shadow-copy deletion, service-based execution during encryption, and the Garmin incident. No specific ransom note text, file extension, or concrete IOC values are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
As for example, he sold a ransomware in 2019 (WastedLocker) and his coding style is noted around other malware families like Caberp.
This includes tools for remote access, such as Cobalt Strike and NetSupport, and ransomware, such as WastedLocker, which has been attributed to the threat actor EvilCorp.
WastedLocker — A ransomware family that has been used against a variety of targets worldwide.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.
Defense Impairment
2 techniques
Defense Impairment
Discovery
4 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.
Command and Control
1 technique
Command and Control
Impact
2 techniques
Impact
Numerous ransomware/wiper examples enumerate files before encryption, such as "BlackCat can enumerate files for encryption", "NotPetya searches for files ending with dozens of different file extensions prior to encryption", and "WastedLocker can enumerate files and directories just prior to encryption."
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
Recent activity
46 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware family explicitly linked in the content as associated with SocGholish activity.
Ransomware operation attributed in the article to Evil Corp.
A ransomware family deployed in post-SocGholish intrusion activity and explicitly attributed in the content to EvilCorp.
WastedLocker is a ransomware family described as a downstream payload/customer relationship tied to SocGholish access sales.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.