By Ben Baker, Edmund Brumaghin, JJ Cummings and Arnaud Zobec.

Threat summary

  • After initially compromising corporate networks, the attacker behind WastedLocker performs privilege escalation and lateral movement prior to activating ransomware and demanding ransom payment.
  • The use of “dual-use” tools and “LoLBins” enables adversaries to evade detection and stay under the radar as they further operate towards their objectives in corporate environments.
  • WastedLocker is one of the latest examples of adversaries’ continued use of lateral movement and privilege escalation to maximize the damage caused by ransomware.
  • The use of “big-game hunting” continues to cause significant operational and financial damages to organizations around the globe.


Ransomware is a serious threat to organizations around the world. It is used to disrupt operations on computing systems so that attackers can extort victims and demand payment, typically in the form of cryptocurrency, to restore normal operations on infected systems. As the threat actors behind ransomware attacks have matured in their capabilities, they have refined their approach to generating revenue using this business model. One recent evolution has been the use of privilege escalation and lateral movement techniques prior to the activation of ransomware payloads within organizational environments.

By delivering and activating ransomware on many different systems within corporate networks simultaneously, attackers can maximize the damage they inflict. This often results in a situation where organizations may be more likely to pay a ransom demand than they otherwise would have been, had only a single endpoint been affected. In some cases organizational backup and recovery strategies may not have been adequately tested against situations in which a significant portion of their production environment is adversely affected at the same time, which may cause them to be more willing to pay a ransom demand. It also allows adversaries to increase the amount of the ransom they are demanding, often resulting in ransom demands for hundreds of thousands of dollars or more to recover infected systems. This approach is sometimes referred to as “big-game hunting.”

Adversaries have used this approach more frequently over the past year. One of the most recent examples of this is with the emergence of a threat actor that is currently leveraging a ransomware family known as “WastedLocker.” The adversary behind these attacks is taking advantage of various “dual-use” toolsets like Cobalt Strike, Mimikatz, Empire, and PowerSploit to facilitate lateral movement across environments being targeted. These toolsets are typically developed to aid with penetration testing or red-teaming activities, but their use is often co-opted by malicious adversaries as well. Additionally, the use of native operating system functionality, and what are commonly referred to as “LoLBins” allows attackers to evade detection and operate under the radar until they are ready to activate the ransomware and make their presence known.



Talos Group

Talos Security Intelligence & Research Group