A crucial aspect of behavior-based anti-malware software is timely identification and prevention of frequent sequential file operations, such as quickly editing, opening, and closing the files opened by any external applications.
WastedLocker ransomware is now leveraging advanced techniques to bypass all behavior-based anti-malware tools by exploiting the Windows memory management features.
At the beginning of August 2020, Sophos security researchers revealed that WastedLocker had employed particular techniques to obfuscate its code and perform tasks that mirror the subroutines. Moreover, WastedLocker moves the important files to Windows cache memory, conducting regular data encryption, and then writing them back to the original memory location.
This creates an impression that only allows system processes to make edits to the files, thus avoiding the risk of all behavior-based anti-malware solutions.
Source: Cyware
