Ddos 
ANY.RUN helps businesses safely analyze malware like WormLocker inside a safe virtual environment
The WormLocker ransomware, first identified in 2021, is evolving. Thanks to recent analysis in the ANY.RUN sandbox, researchers have discovered that the malware now abuses system utilities to take over victims’ systems. Here’s what your security team needs to know.
WormLocker 2.0 Behavior
When executed inside ANY.RUN’s Interactive Sandbox, WormLocker 2.0 created worm_tool.sys files in the Desktop and Downloads folders.
It used Windows commands takeown and icacls to gain control of system files and modify their access permissions.
The malware then extracted its resources into the System32 folder, integrating itself into the operating system.
WormLocker 2.0 also takes several steps to complicate system recovery:
- Disables Task Manager
- Removes hidden files
- Stops the Explorer process. By altering Shell settings to empty, it prevents Explorer from functioning after a reboot, limiting user access to the system.
Encryption and Ransom Process
The ransomware employs AES-256 encryption in CBC mode with a fixed salt. The encryption key is generated from the hardcoded password using SHA-256 hashing.
In the case of the analyzed sample, the password was “LUC QPV BTR”. Entering this password decrypted affected files and restored system settings.
The attack concluded with a VBS script that played an audio file stating the ransom demand.
Equip Your SOC Team with Advanced Malware Analysis for Faster Operations
To observe malware’s execution process without needing reverse engineering or manual debugging, researchers can use ANY.RUN’s Interactive Sandbox. The service helps security teams to deploy and use fully interactive Windows, Android, and Linux VMs in seconds.
With the help of the sandbox, businesses can:
- Accelerate Threat Detection: View and engage with files and URLs in real time to shorten detection time.
- Streamline Incident Response: Gain detailed insights into malware actions to speed up response and incident resolution.
- Minimize False Positives: Collect clear evidence of malicious actions along with IOCs to reduce unnecessary investigations and improve alert quality.
SOC teams can use a 14-day trial of ANY.RUN’s Interactive Sandbox to test all of its features.
Donate