Macaw Locker, Evil Corp’s Latest Version Makes New Victims
The Ransomware Actors Demanded from Sinclair and Olympus a Total of $68 Million.
Last updated on October 22, 2021
In order to avoid US sanctions that avert victims from paying ransom demands, Evil Corp threat actor has released a new ransomware dubbed Macaw Locker.
About Evil Corp
Also known as the Dridex gang or INDRIK SPIDER, the Russia-based hacking group Evil Corp has been around since at least 2007 and is notorious for developing and distributing the banking trojan known as Dridex.
As ransomware operations became more profitable, Evil Corp cybercriminal organization released BitPaymer, which was distributed via the Dridex malware to infected business networks.
In December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC)took action against Evil Corp sanctioning the members after using Dridex to cause more than $100 million in financial losses.
As a result of these sanctions, ransomware negotiation companies will no longer facilitate ransom payments for Evil Corp-related operations.
In order to avoid these sanctions, Evil Corp gang members started renaming their ransomware campaign to different names such as WastedLocker, Hades, and Phoenix, and PayloadBin.
DoppelPaymer, which has recently changed its name to Grief, is yet another ransomware group suspected of being linked to Evil Corp. However, the link between the two has not been confirmed.
“New Kid On the Block”
This month, Olympus, a firm that specializes in medical technology and Sinclaire TV Stations known as Sinclair Broadcast Group, revealed they have suffered cyberattacks that seriously impacted their operations.
Following the attack on Sinclair TV Stations, the Active Directory services would have been shut down and the network domain resources access would have been blocked. The attack also affected various corporate assets including newsroom systems, broadcasting, and e-mail servers.
Still dealing with technical difficulties at @CBS6Albany …. Our 11pm newscast (which is starting late after football) will be unconventional. We’re working with handwritten notes, and it’s going to be a bit more conversational. Tune in, and thanks for bearing with us! 😀🙏🏼 pic.twitter.com/D620UCD72F
It was recently found that both attacks were carried out by a novel ransomware dubbed Macaw Locker. Emsisoft CTO Fabian Wosar told BleepingComputer, that based on code analysis, MacawLocker is the latest rebrand of Evil Corp’s ransomware gang.
Macaw Locker allegedly asked for a 450 bitcoin ransom, or $28 million, for one victim and $40 million for the other. We don’t know yet which company has to pay what ransom.
Macaw Locker M.O.
The new ransomware encrypts targets’ files and adds the .macaw extension to the file name of the encrypted files. The ransomware will generate ransom messages in each folder named macaw recover.txt whilst encrypting files.
As explained by BleepingComputer, the ransom notification for each attack includes a unique victim negotiation page on the Macaw Locker’s Tor website and an associated decryption ID, or campaign ID.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.