Also known as the Dridex gang or INDRIK SPIDER, the Russian cybercriminal gang Evil Corp has been active since at least 2007 and is known for distributing the Dridex malware.

In December 2019, OFAC sanctioned Evil Corp gang members after using Dridex to cause more than $100 million in financial losses. Due to this situation, their victims are put in a difficult position, since they would also violate the sanctions if they want to pay Evil Corp’s ransom.

A year later, OFAC warned that organizations assisting ransomware victims in paying sanctioned cybercriminals also take the risk of being sanctioned as their actions could violate regulations.

However, according to BleepingComputer, in June 2020 Evil Corp renewed its tactics to avoid the sanctions, using WastedLocker ransomware in their most recent attacks. Trucking giant Forward Air and wearable manufacturer Garmin were impacted. The latter was forced to close some of its connected services and call centers following the hack.

CrowdStrike researchers have recently linked Evil Corp to Hades ransomware after noticing a “significant code overlap.” This new malware tool is helping Evil Corp avoid OFAC sanctions to monetize their attacks.

Hades ransomware shares the majority of its functionality with WastedLocker; the ISFB-inspired static configuration, multi-staged persistence/installation process, file/directory enumeration and encryption functionality are largely unchanged. Hades did receive minor modifications, and the removed features included those that were uniquely characteristic of INDRIK SPIDER’s previous ransomware families — WastedLocker and BitPaymer.


Hades ransomware was first discovered in December 2020 by cybersecurity analysts and was named after a Tor hidden website that victims are instructed to visit.

A ransom note named ‘HOW-TO-DECRYPT-[extension].txt’ is created when Hades encrypts a victim’s systems, resembling the notes sent by REvil ransomware.

The ransom note redirects the victims to a Tor site with info about the attack and has a Tox messenger address they can use to contact the ransomware operators.

Hades ransom note


CrowdStrike researchers added that “INDRIK SPIDER’s move to this ransomware variant also came with another shift in tactics: the departure from using email communication and the possibility of exfiltrating data from victims to elicit payments.”

Although there weren’t many reports of Hades ransomware attacks, since Evil Corp started using the new strain, victims have been using the ID-Ransomware service to check if their systems were hit by Hades ransomware.

REvil Ransomware Hacked PC Vendor Acer

REvil Ransomware Group Threatens to Launch DDoS Attacks, Call Journalists and Business Partners

Leave a Reply

Your email address will not be published. Required fields are marked *