WastedLocker
WastedLocker is a ransomware family associated with Evil Corp, also referred to in the content as INDRIK SPIDER, and tracked in one Microsoft context as DEV-0243 in partnership with DEV-0206. It has been used against a variety of targets worldwide and was publicly linked to the July 2020 Garmin incident. The content states that WastedLocker encrypts data and leaves a ransom note, and that reporting on the Garmin case described it as encrypting data without exfiltrating it, allowing recovery from backups where available.
Documented behaviors in the provided content include enumeration of removable drives prior to encryption, deletion of shadow volumes to inhibit recovery, DLL hijacking before execution, and a UAC bypass when not already running with administrator rights on Windows Vista or later. It also checks specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces, and ATT&CK mappings in the content associate it with Data Encrypted for Impact, Inhibit System Recovery, Abuse Elevation Control Mechanism: Bypass User Account Control, Encrypted/Encoded File, Junk Code Insertion, and Virtualization/Sandbox Evasion: System Checks.
The malware is repeatedly linked to Evil Corp in the content, including reporting that Evil Corp affiliates deployed WastedLocker and later shifted to related variants such as Hades, Macaw, PhoenixLocker, and eventually LockBit-associated operations, in part to reduce attribution and evade OFAC sanctions pressure. One cited report states INDRIK SPIDER superseded WastedLocker with Hades ransomware to circumvent OFAC sanctions, and another notes a cessation of WastedLocker activity following the 2020 OFAC advisory, followed by emergence of closely related variants.
High-confidence victim/targeting context directly mentioned in the content includes Garmin, a technology wearables company, and broader use against organizations worldwide. No specific file hashes, ransom note filenames, or other concrete IOCs for WastedLocker are provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In DEV-0243’s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker...
WastedLocker — A ransomware family that has been used against a variety of targets worldwide.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniquesDuring the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
2 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
Privilege Escalation
2 techniques“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
"...has presented the user with a UAC prompt to elevate privileges..."; "...has bypassed UAC..."; "...bypass Windows UAC...execute the next payload with higher privileges."
Stealth
8 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
2 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Discovery
5 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.
Impact
2 techniquesAttackers move directly to deploying ransomware by editing a Group Policy.
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
Recent activity
40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
WastedLocker is a ransomware family described as a downstream payload/customer relationship tied to SocGholish access sales.
Ransomware variant referenced in connection with takeown.exe permission modification behavior, a technique used to take ownership of files or folders for encryption or deletion.
Ransomware family referenced as part of the payload ecosystem enabled by SocGholish/TA569-provided initial access.
Ransomware that deletes shadow volumes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.