Windows 10: Block or Avoid WASTEDLOCKER Ransomeware detected on 23-06-2020

On 23-06-2020 , Recently Some cybersecurity researchers found WASTEDLOCKER ransomware attacked to organization computers.


The way of attack is explained by the below article

https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/


After reading the above article, I took the following precautions

step 01

I added the following links in the hosts file, which is located inC:\windows\system32\drivers\etc\


## Begining Block WASTEDLOCKER ransomware address added on 24-06-2020

#

0.0.0.0 adsmarketart.com

0.0.0.0 advancedanalysis.be

0.0.0.0 advertstv.com

0.0.0.0 amazingdonutco.com

0.0.0.0 cofeedback.com

0.0.0.0 consultane.com

0.0.0.0 dns.proactiveads.be

0.0.0.0 mwebsoft.com

0.0.0.0 rostraffic.com

0.0.0.0 traffichi.com

0.0.0.0 typiconsult.com

0.0.0.0 websitelistbuilder.com

0.0.0.0 bettyware.xyz

0.0.0.0 celebratering.xyz

0.0.0.0 fakeframes.xyz

0.0.0.0 gadgetops.xyz

0.0.0.0 hotphonecall.xyz

0.0.0.0 justbesarnia.xyz

0.0.0.0 kordelservers.xyz

0.0.0.0 tritravlife.xyz

0.0.0.0 veisllc.xyz

0.0.0.0 wineguroo.xyz

0.0.0.0 devicelease.xyz

0.0.0.0 guiapocos.xyz

0.0.0.0 ludwoodgroup.xyz

0.0.0.0 respondcritique.xyz

0.0.0.0 triomigratio.xyz

0.0.0.0 uplandcaraudio.xyz

0.0.0.0 woofwoofacademy.xyz

0.0.0.0 advokat-hodonin.info

0.0.0.0 penaz.info

0.0.0.0 paiolets.com

0.0.0.0 flablenitev.site

0.0.0.0 lendojekam.xyz

0.0.0.0 lgrarcosbann.club

0.0.0.0 lpequdeliren.fun

0.0.0.0 transvil2.xyz

0.0.0.0 szn.services

0.0.0.0 utenti.info

0.0.0.0 utenti.live

# end Block WASTEDLOCKER ransomeware address ===============


step 02

also, i executed the following commands by using PowerShell.exe with admin rights

Set-MpPreference -DisableBehaviorMonitoring $false

Set-MpPreference -MAPSReporting 2

Remove-MpPreference -ExclusionProcess rundll32.exe

Remove-MpPreference -ExclusionExtension dll

step 03

i blocked program "rundll32.exe" in windows firewall under this locationC:\Windows\system32\ for both inbound , outbound connection with any IP addresses with any protocols.


Sources is taken from:

https://blog.fox-it.com/2020/06/23/...are-variant-developed-by-the-evil-corp-group/


I say thanks to the author of the article from this forum, for the detailed explanations of the ransomeware.


Thanks for reading my post, If you like this post means, then share this post to other users and give upvotes








:)

 

(KB4560960) - Error 0x800f0900 -> CBS.log

Code:

1) Open administrative command prompt and type or copy and paste:
2) sfc /scannow
3) dism /online /cleanup-image /checkhealth
4) dism /online /cleanup-image /scanhealth
5) dism /online /cleanup-image /restorehealth
6) sfc /scannow
7) chkdsk /scan

8) When these have completed > right click on the top bar or title bar of the administrative command prompt box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into the thread

 

Windows update problem 0x80070002

ITNOA

Hi I have windows 10 Pro version 1909 and os Build 18363.657

When i want to get 2020-02 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4532693) I got Error 0x80070002 with below error details

2020-03-06 23:38:39, Info Populate features from CBS

2020-03-06 23:38:39, Info Using online (TI hosted) servicing stack

2020-03-06 23:38:39, Info arbiter: Determining media feature name

2020-03-06 23:38:39, Info Device: has Group: Microsoft, FMID: (null), Feature: Professional_en-US

2020-03-06 23:38:39, Info Device: Edition version: 10.0.18362.657

2020-03-06 23:38:39, Info arbiter: gathering packages from CBS

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package~31bf3856ad364e35~amd64~~10.0.18362.329

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-OneCore-Graphics-Tools-Package~31bf3856ad364e35~amd64~~10.0.18362.267

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-GB~10.0.18362.657

2020-03-06 23:38:39, Info Device: supported SatelliteType: Language, en-GB

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~10.0.18362.657

2020-03-06 23:38:39, Info Device: supported SatelliteType: Language, en-US

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-FodMetadata-Package~31bf3856ad364e35~amd64~~10.0.18362.1

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.18362.657

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-Hello-Face-Package~31bf3856ad364e35~amd64~~10.0.18362.628

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~11.0.18362.1

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-LanguageFeatures-Basic-en-gb-Package~31bf3856ad364e35~amd64~~10.0.18362.1

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-LanguageFeatures-Basic-en-us-Package~31bf3856ad364e35~amd64~~10.0.18362.1

2020-03-06 23:38:39, Info CBS: Package Keyform: Microsoft-Windows-LanguageFeatures-Basic-fa-ir-Package~31bf3856ad364e35~amd64~~10.0.18362.1

2020-03-06 23:38:39, Error 'Failed opening package': HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)

2020-03-06 23:38:39, Error 'Failed to open package': HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)

2020-03-06 23:38:39, Error 'Failed enumerating installed packages': HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)

2020-03-06 23:38:39, Error 'Failed getting device info from CBS': HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)

2020-03-06 23:38:39, Error 'Failed to populate device information': HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)

2020-03-06 23:38:39, Info arbiter: --- CreateActionlist end with result: -2147024894 ---

2020-03-06 23:38:39, Error 'Failed to create action list.': HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)

2020-03-06 23:38:39, Info CreateActionList failed. Error [0x80070002]

2020-03-06 23:38:39, Error CDeploymentSession::GenerateDownloadRequestForOS(4345): Result = 0x80070002

2020-03-06 23:38:39, Error GenerateDownloadRequestForOS failed with [0x80070002]

2020-03-06 23:38:39, Error CDeploymentSession::GenerateDownloadRequest(5334): Result = 0x80070002

2020-03-06 23:38:39, Info GenerateDownloadRequest: Exit

2020-03-06 23:38:39, Info OnError: [0x80070002]

2020-03-06 23:38:39, Info WatsonHelper: Setting bucket parameter [3]: [0x80070002]

2020-03-06 23:38:39, Info [Plugins]::Serialize: 0 plugins present.

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [0] to: [0]

2020-03-06 23:38:39, Info WatsonHelper: Parameter [1] is muted - Ignoring: [RS:57AD]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [1] to: [X]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [2] to: [3]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [3] to: [0x80070002]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [4] to: [amd64]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [5] to: [18363]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [6] to: [19h1_release]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [7] to: [18362]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [8] to: [19h1_release_svc_prod1]

2020-03-06 23:38:39, Info WatsonHelper: Setting Parameter [9] to: [657]

2020-03-06 23:38:39, Info WatsonHelper: Adding file to report [C:\WINDOWS\Logs\MoSetup\UpdateAgent.log]

2020-03-06 23:38:39, Info WatsonHelper: Uploading Report.

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: ExtensionName = [OS]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: hr = [0x80070002]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: InternalFailureResult = [0x0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: result = [1]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: RangeRequestState = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: DeletedCorruptFiles = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: DownloadRequests = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageCountTotal = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageCountRequired = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageCountOptional = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageSizeCanonical = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageSizeDiff = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageSizeExpress = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageCountTotalCanonical = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageCountTotalDiff = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageCountTotalExpress = [0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageExpressType = [FALSE]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: PackageCategoriesSkipped = [0x0]

2020-03-06 23:38:40, Info ReportEventDownloadRequestEnd: SandboxTaggedForReserves = [FALSE]

2020-03-06 23:38:40, Info UpdateAgent logging ends.

How can i resolve my problem?

Thanks

 

cortana shutdown by ransomeware. How do I restore?

Did you get any ransom notes?

Read/do:

• I have been infected with Ransomeware (page=1) (quietman7 - MVP July 14, 2017)
  

• ID Ransomware
• How to remove ransomware the right way: A step-by-step guide

In case you're indeed a victim of some kind of ransomware you might want to ask for free expert help here:

• Ransomware Help & Tech Support Forum - BleepingComputer.com
• How to Post a Topic Asking for Help With Ransomware - Ransomware Help & Tech Support