silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
In a new report shared with BleepingComputer prior to release, Sophos security researchers explain how WastedLocker uses the Windows Cache Manager to evade detection.
To increase Windows's performance, commonly used files or files specified by an application are read into and stored in the Windows Cache, which utilizes system memory.
If a program needs to access a file, the operating system will check if it is in the cache, and if so, load it from there. As the data is cached in memory, it makes it much faster to access its contents than reading it from a disk drive.
To bypass detection by anti-ransomware solutions, WastedLocker includes a routine that opens a file, reads it into the Windows Cache Manager, and then closes the original file.
As the data is now stored in the Windows Cache Manager, WastedLocker will then encrypt the file's contents stored in the cache, rather than the file stored on the file system.
When the contents of a file stored in the Windows cache are modified, they become 'dirty.' When enough data become dirty, the Windows Cache Manager will write the encrypted cached data back to their original files.
As the Windows Cache Manager is running as a System process, security software will see the writing of the encrypted data from an allowed and legitimate Windows process, [...]