S0612: WastedLocker
WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.[1][2][3]
Analyst context for executives and security teams
WastedLocker is a Windows ransomware family documented by ATT&CK as historically used since at least May 2020 and attributed to Indrik Spider. Its ATT&CK relationships show a full ransomware-relevant pattern: discovery of files, shares, devices, and registry data; execution through command shell, native APIs, and services; stealth through obfuscation, hidden files, NTFS attributes, and DLL abuse; privilege or control changes; and impact through data encryption and inhibited recovery. For leaders, the practical issue is not just malware identification—it is whether Windows estates can detect and contain pre-encryption activity before business operations, backups, and shared data become unavailable.
Executive priority
Treat this as a ransomware readiness validation case for Windows environments. Priority questions: Are critical Windows servers, file shares, and recovery mechanisms monitored? Can the SOC see service creation/execution, registry changes, command shell activity, NTFS attribute abuse, and mass file access/encryption indicators? Are backup and recovery controls resilient against attempts to inhibit recovery? Because ATT&CK notes use across manufacturing, IT, and media, organizations with operational downtime sensitivity should use this object to test incident response decision-making, recovery evidence, and ransomware control coverage—not to assume current exposure or active targeting.
Technical view
ATT&CK provides no dedicated detection text for WastedLocker, so defenders should validate coverage across the related techniques rather than rely on a single signature. Focus on Windows telemetry for command shell execution, service creation or modification, service-based execution, registry query and modification, file/share discovery, peripheral discovery, permission or attribute changes, hidden files, NTFS alternate/extended attributes, DLL-related execution/stealth behavior, UAC bypass indicators, system checks, deobfuscation activity, inhibited recovery activity, and data encryption for impact. Relationship context to Indrik Spider is useful for threat intelligence enrichment, but detections should be behavior-led because obfuscation and junk code relationships imply static-only approaches may be brittle.
Likely telemetry
- Windows process creation and command-line events, especially cmd.exe and service-control activity
- Windows service creation, modification, and execution logs
- Registry query and modification telemetry
- File system telemetry for rapid file enumeration, writes, renames, permission changes, hidden attributes, and NTFS alternate/extended attributes
- Network share access and enumeration telemetry, especially SMB share discovery patterns
Detection direction
- Build detection around the ATT&CK technique chain: discovery of files/shares/registry followed by service or shell execution, stealth/attribute changes, recovery inhibition, and encryption-like file activity.
- Tune for ransomware-relevant sequences rather than isolated events; registry queries, command shell use, and service control are common administrative behaviors and need context such as unusual parent process, account, host role, timing, and downstream file impact.
- Validate visibility into NTFS file attributes and hidden files because WastedLocker is related to NTFS File Attributes and Hidden Files and Directories; many logging baselines miss this detail.
- Test whether backup and recovery tampering alerts are operationally actionable, not just logged, because inhibited recovery is a related impact behavior.
- Account for obfuscation relationships—Encrypted/Encoded File, Junk Code Insertion, and Deobfuscate/Decode Files or Information—by pairing static malware controls with behavioral endpoint and file-system analytics.
Mitigation priorities
- Prioritize ransomware resilience on Windows: least privilege, controlled administrative access, and hardening around service creation, registry modification, UAC elevation paths, and command shell use.
- Protect and monitor backups and recovery features, including controls that prevent or alert on deletion or disabling of recovery mechanisms.
- Limit exposure of critical network shares and validate access controls, segmentation, and monitoring for share discovery and large-scale file operations.
- Ensure endpoint controls can inspect or block suspicious service execution, DLL abuse patterns, hidden/NTFS attribute misuse, and rapid file modification behavior.
- Run incident response exercises that test containment before encryption, recovery decision-making, and evidence collection across endpoint, identity, file-share, and backup systems.
Analyst notes and limits
The strongest decision value in this object comes from its relationships: WastedLocker maps to Windows-centric execution, discovery, stealth, privilege, persistence, defense-impairment, and impact behaviors typical of ransomware operations. ATT&CK also states attribution to Indrik Spider and historical use across multiple sectors. For Glexia-style assessments, this object is best used as a ransomware coverage checklist for SOC, IR, Windows hardening, backup resilience, and executive recovery readiness.
Official ATT&CK detection guidance for WastedLocker is not provided, tactics are not specified on the malware object itself, and the supplied data does not include indicators, procedures, affected customer environments, or current activity claims. Some related techniques list platforms beyond Windows, but the malware object platform is Windows; local validation should therefore focus on Windows unless separate evidence supports broader scope.
WastedLocker
WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.003 | Windows Service Sub-technique | WastedLocker created and established a service that runs until the encryption process is complete.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | WastedLocker has copied a random file from the Windows System32 folder to the |
| Enterprise | T1490 | Inhibit System Recovery | WastedLocker can delete shadow volumes.CitationSymantec WastedLocker June 2020CitationNCC Group WastedLocker June 2020CitationSentinel Labs WastedLocker July 2020 |
| Enterprise | T1112 | Modify Registry | WastedLocker can modify registry values within the |
| Enterprise | T1497.001 | System Checks Sub-technique | WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1486 | Data Encrypted for Impact | WastedLocker can encrypt data and leave a ransom note.CitationSymantec WastedLocker June 2020CitationNCC Group WastedLocker June 2020CitationSentinel Labs WastedLocker July 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | WastedLocker has used cmd to execute commands on the system.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1012 | Query Registry | WastedLocker checks for specific registry keys related to the |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | WastedLocker contains junk code to increase its entropy and hide the actual code.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1120 | Peripheral Device Discovery | WastedLocker can enumerate removable drives prior to the encryption process.CitationSentinel Labs WastedLocker July 2020 |
| Enterprise | T1106 | Native API | WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | WastedLocker has performed DLL hijacking before execution.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1083 | File and Directory Discovery | WastedLocker can enumerate files and directories just prior to encryption.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | WastedLocker has the ability to save and execute files as an alternate data stream (ADS).CitationSentinel Labs WastedLocker July 2020 |
| Enterprise | T1135 | Network Share Discovery | WastedLocker can identify network adjacent and accessible drives.CitationSentinel Labs WastedLocker July 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | WastedLocker can execute itself as a service.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.CitationNCC Group WastedLocker June 2020 |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | WastedLocker has a command to take ownership of a file and reset the ACL permissions using the |
Groups, software, and campaigns
G0119: Indrik Spider
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 19d06fc7d8c6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec WastedLocker June 2020
Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
Open source URL -
[2]
NCC Group WastedLocker June 2020
Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
Open source URL -
[3]
Sentinel Labs WastedLocker July 2020
Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
Open source URL -
[4]
WastedLocker
(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)
-
[5]
mitre-attack S0612Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.