Technology

Evil Corp affiliates are using off-the-shelf ransomware to evade sanctions

Researchers found a number of similarities between Evil Corp and a new group of attackers.

June 2, 2022

(Getty Images)

Hackers likely affiliated with the notorious Russian cybercrime group Evil Corp are using off-the-shelf ransomware to evade U.S. sanctions, researchers at security firm Mandiant have found.

The researchers’ observations, published Thursday, are just the latest example of how cybercriminals affiliated with Evil Corp have shifted tactics after U.S. sanctions in 2019 increased scrutiny over transactions with the group.

The group, which had already started pivoting from broader financial crimes to ransomware prior to 2019, has since been tied by multiple researchers to a number of different malware strains including WASTEDLOCKER and HADES ransomware.

But as those strains became synonymous with Evil Corp, users have had to adjust. For instance, after an October 2020 Treasury Department advisory tying WASTEDLOCKER to the group, researchers noticed a drop in activity using the malware. Researchers at Emsisoft even observed Evil Corp affiliates masquerading last year as another notorious group, REvil, to evade sanctions.

Treasury sanctioned Evil Corp in 2019 for its development and distribution of Dridex, a malware used to infiltrate hundreds of financial institutions in more than 40 countries, leading to millions of dollars in damages.

Now, affiliates whom researchers group as “UNC2165” have since taken cover with LOCKBIT, a ransomware-as-a-service with ties to a number of different threat actors.

“The adoption of existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp,” the Mandiant researchers write. “Both the prominence of LOCKBIT in recent years and its successful use by several different threat clusters likely made the ransomware an attractive choice.”

Also in 2019, prosecutors indicted two Russian nationals, Maksim Yakubets and Igor Turashev, in connection with Evil Corp. Yakubets was accused of providing direct assistance to the Russian government.

Despite scrutiny from the U.S. government, the notorious and prolific Russian crime group has continued to go after U.S. targets. Evil Corp was accused of launching a cyberattack against U.S. media company Sinclair Broadcast Group in October.

Evil Corp affiliates are using off-the-shelf ransomware to evade sanctions

More Like This

Decade-old malware haunts Ukrainian police

Six-year old bug will likely live forever in Lenovo, Intel products

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

Top Stories

With a mysterious surveillance target identified, calls for Congress to change course

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

More Scoops

FBI, British authorities seize infrastructure of LockBit ransomware group

After Hive takedown, could the LockBit ransomware crew be the next to fall?

LockBit ransomware crew claims attack on California Department of Finance

LockBit 2.0 gang claims Mandiant as latest victim; Mandiant sees no evidence of it

Russian ransomware group claims attack on Bulgarian refugee agency

Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say

Offense will win some battles, but cyber defense will win the war

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics