The Threat Actors Are Trying to Circumvent Sanctions.
Last updated on June 3, 2022
Also known as the Dridex gang or INDRIK SPIDER, the Russian cybercriminal gang Evil Corp has been active since at least 2007 and is known for distributing the Dridex malware.
In order to circumvent the restrictions imposed by the Office of Foreign Assets Control of the United States Treasury Department, the cybercrime organization is known as Evil Corp has recently begun infecting its victims’ networks with the LockBit ransomware (OFAC).
As BleepingComputer reports, the cybercriminal organization first used the Locky ransomware, and then from 2017 to 2019 they used their own ransomware strain known as BitPaymer.
After receiving sanctions from the United States in December 2019 for their use of the Dridex ransomware to inflict more than $100 million in financial losses, the organization began deploying its newest ransomware, WastedLocker, in June of 2020.
Starting in March 2021, Evil Corp began using a different strain of ransomware called as Hades ransomware. Hades ransomware is a 64-bit variation of WastedLocker that has been improved with more code obfuscation and other minor feature modifications.
Since that time, the threat actors have posed as members of the PayloadBin hacking organization and utilized additional strains of ransomware with names like Macaw Locker and Phoenix CryptoLocker.
As was previously noticed by threat researchers working for Mandiant, the cybercrime syndicate has now made another move to disassociate themselves from known technology that enables victims to pay ransoms without running the danger of breaking OFAC restrictions.
An activity cluster identified by Mandiant as UNC2165, which had been delivering the Hades ransomware and was previously tied to Evil Corp, is now deploying ransomware as an associate of LockBit.
Mandiant has investigated multiple LOCKBIT ransomware intrusions attributed to UNC2165, a financially motivated threat cluster that shares numerous overlaps with the threat group publicly reported as “Evil Corp.” UNC2165 has been active since at least 2019 and almost exclusively obtains access into victim networks via the FAKEUPDATES infection chain, tracked by Mandiant as UNC1543. Previously, we have observed UNC2165 deploy HADES ransomware. Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using exclusive ransomware variants to LOCKBIT—a well-known ransomware as a service (RaaS)—in their operations, likely to hinder attribution efforts in order to evade sanctions.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.