Ransom.binADS

Short bio

Ransom.binADS is Malwarebytes’ detection name for a ransomware family that is used in targeted attacks. This family is alos known under the name WastedLocker.

Type and source of infection

Ransom.binADS is ransomware of the type that encrypts files and thean asks for a ransom to decrypt them.
Ransom.binADS is delivered onto a compromised system inside the network of the targeted organization. The initial infection is often done through websites that push fake updates.

Aftermath

Because of the targeted nature of this ransomware, it is advised to do a full network scan to find any backdoors or other tools that the threat actors may have left behind, and which may enable them to regain access to the network.

Protection

Malwarebytes detects WastedLocker ransomware as Ransom.BinADS.

Ransom.binADS

Business remediation

To remove Ransom.binADS using Malwarebytes business products, follow the instructions below.

How to remove Ransom.binADS with Malwarebytes Endpoint Protection

  1. Go to the Malwarebytes Cloud console.
  2. To allow you to invoke a scan while the machine is off the network, go to Settings > Policies > your policy > General.
  3. Under Endpoint Interface Options, turn ON:
    1. Show Malwarebytes icon in notification area
    2. Allow users to run a Threat Scan (all threats will be quarantined automatically)

If you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can remove Ransom.binADS with our Breach Remediation tool (MBBR).

  1. Log into your My Account page and copy your license key. The key is needed to activate MBBR tool.
  2. Open your Cloud console.
  3. From a clean and safe machine, go to Endpoints > Add > Malwarebytes Breach Remediation. This will download the MBBR zip package.
  4. Unzip the package.
  5. Access a Windows command line prompt and issue the following commands:
    mbbr register –key:<prodkey>
    mbbr update
    Note: You must substitute your license key for <prodkey>.
  6. Copy the MBBR folder to a flash drive.
  7. From an infected, offline machine, copy the MBBR folder from the flash drive.
  8. Start a scan using the following command:
    mbbr scan –full –ark –remove –noreboot
  9. Refer to the Malwarebytes Breach Remediation Windows Administrator Guide for all supported scanning commands.

How to remove Ransom.binADS with Malwarebytes Endpoint Security

You can use Malwarebytes Anti-Malware v1.80, which is included in your Malwarebytes Endpoint Security deployment to scan and remove Ransom.binADS.

Option 1
  1. Remove the infected endpoint from the network.
  2. On the infected machine, right click the system tray icon and click on Start Scanner.
    MBES start scanner
  3. Select Perform full scan.
    MBES scan options
  4. Click on Scan button.
Option 2
  1. Open CMD
  2. CD to C:\Program Files (x86)\Malwarebytes’ Anti-Malware
  3. Run mbamapi /scan –full –remove -reboot

IOCs

A ransom note will be created for each encrypted file with *wasted and *wasted_info filenames for encrypted files and the ransom notes.

Layout of the ransom note:

*ORGANIZATION_NAME*
YOUR NETWORK IS ENCRYPTED NOW
USE *EMAIL1* | *EMAIL2* TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]*[end_key]
KEEP IT

On systems with a suitable file-system an Alternate Data Stream (ADS) is used as a means to run the ransomware processes. On others the ransomware binary is copied file to %windir%\system32 and the attacker will take ownership of it (takeown.exe /F filepath) and reset the ACL permissions.

 

Select your language