WastedLocker ransomware abuses Windows feature to evade detection

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
In a new report shared with BleepingComputer prior to release, Sophos security researchers explain how WastedLocker uses the Windows Cache Manager to evade detection.

To increase Windows's performance, commonly used files or files specified by an application are read into and stored in the Windows Cache, which utilizes system memory.

If a program needs to access a file, the operating system will check if it is in the cache, and if so, load it from there. As the data is cached in memory, it makes it much faster to access its contents than reading it from a disk drive.

To bypass detection by anti-ransomware solutions, WastedLocker includes a routine that opens a file, reads it into the Windows Cache Manager, and then closes the original file.

As the data is now stored in the Windows Cache Manager, WastedLocker will then encrypt the file's contents stored in the cache, rather than the file stored on the file system.

When the contents of a file stored in the Windows cache are modified, they become 'dirty.' When enough data become dirty, the Windows Cache Manager will write the encrypted cached data back to their original files.

As the Windows Cache Manager is running as a System process, security software will see the writing of the encrypted data from an allowed and legitimate Windows process, [...]
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top