Evil Corp has changed ransomware, now the group is spreading LockBit

Evil Corp has changed ransomware, now the group is spreading LockBit

Evil Corp has changed ransomware

Evil Corp is a group of cybercriminals also known as INDRIK SPIDER that has been operating since 2007. The gang is also known as Dridex, due to the homonymous malware it started operating with, prior to the move to ransomware attacks.

And speaking of this last type of malware, it seems that the group has decided to switch to LockBit, a well-known ransomware that can also be used against Linux systems, in order to circumvent the sanctions imposed by the OFAC, or the department for the control of foreign assets of the United States Department of the Treasury. Previously, the group had used Locky and then BitPaymer, a ransomware developed internally and abandoned in 2019. Before coming to LockBit, the group used Dridex, WastedLocker, Hades (64-bit variant of the latter) and others. br>

LockBit also affects Linux systems
In this way, it is easier for the group to blend into the crowd of other RaaS users, as exclusive and easily traceable tools are no longer used in Evil Corp.

The RaaS is a a growing phenomenon, as reported by Kaspersky in a recent survey, and by the Microsoft Security team through their blog: for Evil Corp it is further advantageous, then, because not having to manage the development of their tools directly allows them to devote more attention to expansion of operations and the scope of the attacks.

In general, this is a phenomenon that should not be underestimated, as we have often advised you, for this reason it is advisable to know the extent of the potential damage and to equip yourself with one of the best antivirus to protect yourself from ransomware.

US Sanctions Force Evil Corp to Change Tactics

Sanctions that the US government imposed on Russia-based crimeware gang Evil Corp in 2019 appear to have forced the threat actor to change tactics to remain in the cybercrime business.

New research into the group's activity by Mandiant shows that after the sanctions were put in place — after the group caused more than $100 million in losses to banks and other financial institutions by stealing sensitive information — Evil Corp switched to using ransomware in an apparent effort to obscure attribution. 

Moving on from using Dridex, its own exclusive (and easily fingerprinted) malware, Evil Corp actors have been observed deploying ransomware families used by multiple threat groups, such as Hades, WastedLocker, PhoenixLocker, and most recently LockBit, a ransomware-as-a-service option.

US regulations prohibit organizations — including ransomware victims and negotiators — from conducting any kind of financial transactions with organizations and entities on the US Treasury Department's Office of Foreign Assets Control (OFAC) sanctions list.

'[US] sanctions have had a direct impact on threat actor operations, particularly as at least some companies involved in ransomware remediation activities, such as negotiation, refuse to facilitate payments to known sanctioned entities,' Mandiant says in its report. 'This can ultimately reduce threat actors' ability to be paid by victims, which is the primary driver of ransomware operations.'

That means US ransomware victims need to pay closer attention to whom they are dealing with, says Jeremy Kennelly, senior manager of financial crime analysis at Mandiant Threat Intelligence.

'When dealing with a ransomware intrusion, the particular malware being deployed, or the branding on ransom notes, or shaming websites may be insufficient to determine whether the beneficiary of payments has affiliations with Evil Corp, a sanctioned entity,' he says.

Sanctions CrunchOFAC sanctioned Evil Corp and two members associated with the group for stealing more than $100 million from financial institutions in 40 countries using credentials harvested with the Dridex malware tool.

Around the time the sanctions were imposed, Evil Corp had begun renting out Dridex for use by affiliate gangs. It also had begun making its own foray into the ransomware space, initially with BitPaymer ransomware and later with DopplePaymer and WastedLocker in 2019. 

In 2020 Evil Corp. targeted more than two-dozen US organizations with ransomware, including several Fortune 500 companies in a massive WastedLocker campaign. Months after the sanctions went into effect, the threat actor stopped using WastedLocker and soon after switched to a variety of other tools, such as Hades and most recently LockBit — a ransomware-as-a service tool that gives the threat actor an opportunity to blend in with other actors.

UNC2165: Another Evolution of Evil Corp.Mandiant says since 2019 it has investigated multiple LockBit ransomware intrusions carried out by a group that the vendor is currently tracking as UNC2165. According to Mandiant, UNC2165 has a lot of overlap with Evil Corp and is most likely an actor closely affiliated with it. For instance, in all the intrusions that Mandiant investigated, UNC2165 obtained access to the victim network via UNC1543, a financially motivated threat group that distributes FakeUpdates, a multistage JavaScript dropper for distributing malware. FakeUpdates was also the infection chain for deploying Dridex that later resulted in BitPaymer and DopplePaymer ransomware infections.

Similarly, the Hades ransomware family that Mandiant observed UNC2165 deploying had multiple code similarities to other ransomware tools tied to Evil Corp. Several of the command-and-control servers that UNC2165 has been observed using have also been linked to Evil Corp infrastructure, Mandiant says.

'The operational relationship between UNC2165 and the broader Evil Corp group is not fully understood,' Kennelly says. 'Mandiant has observed UNC2165 deploying Hades ransomware and operating Hades-related infrastructure. Furthermore, multiple public reports related to the deployment of other ransomware families commonly attributed to Evil Corp have involved use of infrastructure Mandiant attributes to UNC2165.'

Kennelly says it's unclear what impact Mandiant's report tying an Evil Corp-related actor to LockBit will have in the ransomware space. 

'The impact this disclosure will have on ransomware negotiators is difficult to predict,' he says. 'LockBit may quickly move to distance themselves from affiliates with ties to Evil Corp, or deny the allegations wholesale,' he says.

Furthermore, UNC2165 has shifted their operations multiple times over the past years, and this may ultimately lead to them to again adopt an updated toolkit if ransomware negotiators halt work on LockBit cases, he notes.