After being sanctioned by the US Treasury Department’s Office of Foreign Assets Control (OFAC) for using Dridex to cause more than $100 million in financial losses, Evil Corp gang members began renaming their ransomware operations to different names such as WastedLocker, Hades, and Phoenix to avoid these sanctions.

Also known as the Dridex gang or INDRIK SPIDER, the Russian cybercriminal gang Evil Corp has been active since at least 2007 and is known for distributing the Dridex malware.

Recently, as discovered by BleepingComputer, Evil Corp launched a ransomware operation dubbed BitPaymer, which was delivered via the Dridex malware in compromised corporate networks.

After claiming responsibility for the attack on the Metropolitan Police Department, the Babuk gang said they were quitting ransomware encryption and instead focus on data theft and extortion.

On June 1st, MalwareHunterTeam took to Twitter that the Babuk data leak site had a design refresh where the ransomware gang rebranded as a new group called “payload bin”.

Following the news, BleepingComputer found a new ransomware sample dubbed PayloadBIN which is related to the Babuk Locker rebranding.

When installed, the ransomware will append the .PAYLOADBIN extension to encrypted files, as shown below.

encrypted-files Evil Corp heimdal

Image Source: BleepingComputer

The ransom note is named ‘PAYLOADBIN-README.txt’ and states that the victim’s “networks is LOCKED with PAYLOADBIN ransomware.”

payloadbin-ransom-note evil corp

Image Source: BleepingComputer

Although all the evidence suggested Babuk was lying about their intentions to step down from ransomware, ID Ransomware and Emsisoft researchers Michael Gillespie and Fabian Wosar confirmed that the ransomware is in fact a rebranding of Evil Corp’s former ransomware operations.

Since the ransomware is now attributed to Evil Corp, most ransomware negotiation firms won’t help facilitate payments for victims affected by the PayloadBIN ransomware.

cover photo for heimdal security news
2021.05.24 QUICK READ

CNA Financial Reportedly Paid a $40 Million Ransom

cover photo for heimdal security news
2021.04.06 QUICK READ

CNA Financial Fell Victim to a ‘Sophisticated’ Ransomware Cybersecurity Attack

featured photo for heimdal news
2021.03.26 QUICK READ

Evil Corp Evades OFAC Sanctions by Employing Hades Ransomware

Ransomware payouts 2020 concept image by Heimdal Security
2020.12.18 SLOW READ

This Year in Ransomware Payouts (2020 Edition)

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP