Security News > 2020 > June > Dridex Operators Develop 'WastedLocker' Ransomware
On the infected host, WastedLocker first performs a series of operations to ensure it runs properly, and only then it proceeds to encrypting files.
The ransomware can delete shadow copies to prevent data recovery, and can encrypt files in specific directories only, or all files on a drive.
"Instead of including a list of extension targets, WastedLocker includes a list of directories and extensions to exclude from the encryption process. Files with a size less than 10 bytes are also ignored and in case of a large file, the ransomware encrypts them in blocks of 64MB," the researchers explain.
Once the encryption process has been completed, the ransomware updates a log file with information on the number of targeted files, number of encrypted files, and number of files not encrypted due to access rights issues.
A decrypter for WastedLocker was observed requiring admin privileges and reporting on the number of successfully decrypted files.