[BreachExchange] WastedLocker ransomware hits Boyne Resorts ski resort operator

Destry Winant destry at riskbasedsecurity.com
Tue Oct 27 10:22:39 EDT 2020


https://www.bleepingcomputer.com/news/security/wastedlocker-ransomware-hits-boyne-resorts-ski-resort-operator/

US-based ski and golf resort operator Boyne Resorts has suffered a
cyberattack by the WastedLocker operation that has impacted
company-wide reservation systems.

Boyne Resorts owns and operates eleven properties located in the USA
and Canada and has 11,000 employees. Many of these properties are
situated on well-known ski mountains, including Big Sky, Montana,
Sugarloaf, Maine, and Brighton, Utah.

Boyne Resorts hit by WastedLocker ransomware

Today, BleepingComputer received an anonymous tip from an alleged
Boyne Resorts employee who stated that the company suffered an
undisclosed ransomware attack last weekend.

We were told that the attack affected their corporate offices and then
spread to IT systems of the resorts they operate, forcing them to shut
down portions of their network to prevent the ransomware spread.

BleepingComputer has since confirmed with a second source that Boyne
Resorts was attacked using the WastedLocker ransomware, the same one
used in the attack on Garmin in July.

Due to this attack, it is not possible to book lodging at the resort
as the company-wide reservation systems are impacted by the attack,
including the online reservation systems at each hotel's website.

Reservation system outage

BleepingComputer was told that the reservation systems are expected to
be down for another couple of days. This attack comes at a bad time
for Boyne as people begin to plan potential ski trips for the winter.

As part of this attack, we are told that encrypted files were renamed
so that the .easy2lock extension was appended to each file's name.

BleepingComputer has been able to find a sample of the WastedLocker
ransomware uploaded to VirusTotal on October 14th, 2020, that utilizes
the .easy2lock extension. Due to its earlier date, we do not believe
this is the exact sample used in the attack on Boyne Resorts.

Below is an example ransom note created by this WastedLocker
Ransomware variant. This ransom note may not be the same as the one
used during Boyne Resort's attack.

WastedLocker ransomware easy2lock variant

BleepingComputer has contacted Boyne Resorts with further questions
about this attack but has not received a reply.

If you have first-hand information about this or other unreported
cyberattacks, you can confidentially contact us on Signal at
+16469613731 or on Wire at @lawrenceabrams-bc.

WastedLocker linked to a US sanctioned hacking group

Security firms attribute WastedLocker to a Russian-based hacking group
known as Evil Corp (aka the Dridex gang).

This group has been active since at least 2007 and is known for
developing the Dridex malware and a ransomware strain known as
BitPaymer.

In December 2019, The U.S. Treasury Department sanctioned Evil Corp
for causing more than $100 million in financial damages.

Due to this, it is a tricky situation if Boyne Resorts wanted to pay
the ransom as they would potentially violate United States sanctions.

Ransom payments to WastedLocker have become riskier this month, as the
U.S. Treasury Department's Office of Foreign Assets Control (OFAC)
issued a warning that organizations making ransom payments face
sanctions risks if their actions violate OFAC regulations.


More information about the BreachExchange mailing list