Evil Corp Evades OFAC Sanctions by Employing Hades Ransomware
Hades ransomware has been linked to the Evil Corp cybercrime gang who uses it to bypass sanctions imposed by the Treasury Department’s Office of Foreign Assets Control (OFAC).
Also known as the Dridex gang or INDRIK SPIDER, the Russian cybercriminal gang Evil Corp has been active since at least 2007 and is known for distributing the Dridex malware.
In December 2019, OFAC sanctioned Evil Corp gang members after using Dridex to cause more than $100 million in financial losses. Due to this situation, their victims are put in a difficult position, since they would also violate the sanctions if they want to pay Evil Corp’s ransom.
A year later, OFAC warned that organizations assisting ransomware victims in paying sanctioned cybercriminals also take the risk of being sanctioned as their actions could violate regulations.
However, according to Sergiu Gatlan, in June 2020 Evil Corp renewed its tactics to avoid the sanctions, using WastedLocker ransomware in their most recent attacks. Trucking giant Forward Air and wearable manufacturer Garmin were impacted. The latter was forced to close some of its connected services and call centers following the hack.
CrowdStrike researchers have recently linked Evil Corp to Hades ransomware after noticing a “significant code overlap.” This new malware tool is helping Evil Corp avoid OFAC sanctions to monetize their attacks.
Hades ransomware shares the majority of its functionality with WastedLocker; the ISFB-inspired static configuration, multi-staged persistence/installation process, file/directory enumeration and encryption functionality are largely unchanged. Hades did receive minor modifications, and the removed features included those that were uniquely characteristic of INDRIK SPIDER’s previous ransomware families — WastedLocker and BitPaymer.
Hades ransomware was first discovered in December 2020 by cybersecurity analysts and was named after a Tor hidden website that victims are instructed to visit.
#Ransomware Hunt: Calls itself “Hades ransomware”. Extension is random 5 lowercase alphanum, note “HOW-TO-DECRYPT-xxxxx.txt” (xxxxx = extension of files)
Seen x3 different Tor URLs pointing to the exact same site and Tox address – TA never responds. pic.twitter.com/sy2eYecxXV
— Michael Gillespie (@demonslay335) December 16, 2020
A ransom note named ‘HOW-TO-DECRYPT-[extension].txt’ is created when Hades encrypts a victim’s systems, resembling the notes sent by REvil ransomware.
The ransom note redirects the victims to a Tor site with info about the attack and has a Tox messenger address they can use to contact the ransomware operators.
Hades ransom note
CrowdStrike researchers added that “INDRIK SPIDER’s move to this ransomware variant also came with another shift in tactics: the departure from using email communication and the possibility of exfiltrating data from victims to elicit payments.”
Although there weren’t many reports of Hades ransomware attacks, since Evil Corp started using the new strain, victims have been using the ID-Ransomware service to check if their systems were hit by Hades ransomware.