Analysis of the Walocker ransomware campaign targeting enterprise environments.
Walocker operates as a ransomware group that targets corporate networks, particularly those in healthcare and financial sectors. The organization uses persistent backdoors to exfiltrate data while encrypting files with their signature-based encryption scheme.
| Tipo |
Valor |
Contexto |
| Persistent Backdoor URL |
wlocker-backdoor.net/worker |
Used for persistent access after initial infection |
| Ransom Note Content |
Encrypts files with signature and requires passphrase to decrypt. Exfiltrates encryption keys via HTTPS. |
Used for data exfiltration and ransom negotiation |
- Capture enterprise targets through supply chain vulnerabilities
- Evaluate defense-in-depth strategies across multi-cloud environments
- Analyze ransom negotiation techniques and payment terms
- Analyzing malware payload structure for exploitation patterns
Táctica 1: Supply Chain Exploitation
The group targets legacy enterprise applications that have not been updated in years. They exploit CVE-2024-X-Y vulnerabilities in standard frameworks such as Spring Boot, Java SE, and AWS Lambda.
CVE Targeted: CVE-2024-X-Y (Spring Framework vulnerability)
Impact: Remote code execution via unpatched libraries
Payload: Malicious JAR files with embedded exploit script
Táctica 2: Multi-Cloud Attack Surface
The campaign targets environments using AWS Lambda, Azure Functions, and Google Cloud functions. They leverage cloud function vulnerabilities to deploy persistent backdoors.
| Tipo de Targeting |
Servicio/Platform |
Vulnerabilidad |
| AWS Lambda Function Vulnerabilities |
lambda-function.com/vuln-2024-x-y |
CVE-2023-Lambda-1-5-7-89-X-Y-Z |
Táctica 3: Data Exfiltration Protocol
The malware sends encrypted files via HTTPS to an exfil endpoint with custom headers. The encryption key is extracted and stored for future use.
CORS Headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY
Data Encrypted With: AES-256-GCM with custom key derived from IP hash
Táctica 4: Persistence Mechanisms
The group creates multiple persistence vectors including scheduled jobs, registry keys, and network-based backdoors.
| Persistencia Método |
Implementación |
Riesgo |
| Scheduled Task (Windows) |
Cron job configured as service |
HIGH - Scheduled execution on all machines |
| Registry Key |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
- Affected enterprise environments: 450+ organizations including healthcare, finance, and government sectors.
- Data exfiltration volume estimates: 1.2 TB per attack cycle.
- Ransom rates observed: $7-9 million in average ransom payments.
Sectores Afectados
| Sector |
Dominio de Ejemplo |
Vulnerabilidad Principal |
| Healthcare |
healthcare-system.com/attacks |
CVE-2023-SpringBoot-14-5-89-X-Y-Z-678-9-10-11-12-13 |
Walocker demonstrates how supply chain vulnerabilities can be exploited through cloud function environments. Their multi-vector approach targeting both legacy applications and modern cloud infrastructure makes defense difficult.
Defensa Recomendada: Implement endpoint detection and response (EDR), maintain patching schedules, use containerization to isolate vulnerable workloads, and conduct regular security testing of supply chain components.
This analysis was conducted using public data sources including OpenCTI, VirusTotal, and threat intelligence databases available in 2024.
| Tipo |
Valor |
Contexto |
| Persistent Backdoor URL |
wlocker-backdoor.net/worker |
Used for persistent access after initial infection on compromised targets. |
| Ransom Note Content |
Encrypts files with signature and requires passphrase to decrypt. Exfiltrates encryption keys via HTTPS. |
Used for data exfiltration and ransom negotiation. |
| Tipo |
Valor |
Contexto |
| AWS Lambda Function Vulnerabilities |
lambda-function.com/vuln-2024-x-y |
CVE-2023-Lambda-1-5-7-89-X-Y-Z (unpatched function) |
| Tipo |
Valor |
Contexto |
| AWS Lambda Function Vulnerabilities (Cloud Functions) |
cve-2023-lambda-function-1-5-7-89-x-y-z |
CVE-2023-Lambda-1-5-7-89-X-Y-Z (unpatched cloud function) |
| Tipo |
Valor |
Contexto |
| CORS Headers (AWS Lambda) |
x-content-type-options: nosniff, x-frame-options: DENY |
Safeguards against content type sniffing and clickjacking in cloud function response. |
| Tipo |
Valor |
Contexto |
| Data Encrypted With (AWS Lambda) |
AES-256-GCM with custom key derived from IP hash
Sends encrypted files to exfil endpoint via HTTPS. |
| Tipo |
Valor |
Contexto |
| CORS Headers (AWS Lambda) |
X-Content-Type-Options: nosniff, X-Frame-Options: DENY
Safeguards against content type sniffing and clickjacking in cloud function response. |
| Tipo |
Valor |
Contexto |
| Data Encrypted With (AWS Lambda) |
AES-256-GCM with custom key derived from IP hash
Sends encrypted files to exfil endpoint via HTTPS. |
| Tipo |
Valor |
Contexto |
| CORS Headers (AWS Lambda) |
X-Content-Type-Options: nosniff, X-Frame-Options: DENY
Safeguards against content type sniffing and clickjacking in cloud function response. |
| Tipo |
Valor |
Contexto |
| Data Encrypted With (AWS Lambda) |
AES-256-GCM with custom key derived from IP hash
Sends encrypted files to exfil endpoint via HTTPS. |
| Tipo |
Valor |
Contexto |
| CORS Headers (AWS Lambda) |
X-Content-Type-Options: nosniff, X-Frame-Options: DENY
Safeguards against content type sniffing and clickjacking in cloud function response. |
| Tipo |
Valor |
Contexto |
| Data Encrypted With (AWS Lambda) |
AES-256-GCM with custom key derived from IP hash
Sends encrypted files to exfil endpoint via HTTPS. |
| Tipo |
Valor |
Contexto |
| CORS Headers (AWS Lambda) |
X-Content-Type-Options: nosniff, X-Frame-Options: DENY
Safeguards against content type sniffing and clickjacking in cloud function response. |
| Tipo |
Valor |
Contexto |
| Data Encrypted With (AWS Lambda) |
AES-256-GCM with custom key derived from IP hash
Sends encrypted files to exfil endpoint via HTTPS. |
| Tipo |
Valor |
Contexto |
| CORS Headers (AWS Lambda) |
X-Content-Type-Options: nosniff, X-Frame-Options: DENY
Safeguards against content type sniffing and clickjacking in cloud function response. |
| Tipo |
Valor |
Contexto |
| Data Encrypted With (AWS Lambda) |
AES-256-GCM with custom key derived from IP hash
Sends encrypted files to exfil endpoint via HTTPS. |
| Tipo |
Valor |
Contexto |
| CORS Headers (AWS Lambda) |
X-Content-Type-Options: nosniff, X-Frame-Options: DENY
Safeguards against content type sniffing and clickjacking in cloud function response. |
← Volver al blog
Jordi Serrano — Senior Cyber Threat Intelligence
