The WastedLocker Ransomware has become notorious after being attributed to the sanctioned Evil Corp hacking group and used to attack Garmin. Sophos security researchers explain how Wastedlocker uses the Windows Cache Manager to evade detection by security software. The software will monitor the operating system for file system calls traditionally used by ransomware when encrypting a file, and the offending process will be terminated if it is found to be doing so. This method effectively bypasses a security solution’s ransomware protection modules and allows WastLocker to encrypt all the files.
Source: https://www.bleepingcomputer.com/news/security/wastedlocker-ransomware-abuses-windows-feature-to-evade-detection/