Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions

Evil Corp and PayloadBIN

Operators of new ransomware PayloadBIN, linked to the cybercriminal group Evil Corp, are trying to avoid sanctions imposed by the Office of Foreign Assets Control of the US Treasury Department (OFAC).

Members of Evil Corp (also known as Indrik Spider and Dridex) started out as partners with the ZeuS botnet operators. Over time, Evil Corp formed its own group that focused on distributing a banking Trojan called Dridex via phishing emails.

When the gangs began to move towards high-yield ransomware attacks, Evil Corp used BitPaymer ransomware, which was spread by the Dridex malware to compromised corporate networks.

Following sanctions by the U.S. government in 2019, firms negotiating with ransomware operators refused to pay ransoms for Evil Corp’s attacks to avoid fines or lawsuits from the U.S. Treasury Department. Evil Corp has begun renaming its ransomware campaigns to Hades and Phoenix in an effort to bypass these sanctions.

Recall that at the end of April this year, Babuk operators announced the termination of their activities. However, two weeks later, the hackers reminded about themselves, presenting a new project, Payload Bin.

Although hackers are no longer going to steal data and demand ransom for it, they will provide such an opportunity for other cybercriminals who do not have their own name and site of leaks.the specialized media said.

BleepingComputer discovered a new sample of ransomware called PayloadBIN on VirusTotal and initially suggested that the malware was related to the Babuk Locker rebranding. Once installed, the ransomware adds the .PAYLOADBIN extension to the encrypted files. In addition, the ransom note is called PAYLOADBIN-README.txt and informs the victim that “the networks have been BLOCKED using the PAYLOADBIN ransomware.”

Babuk allegedly lied about its intentions to refuse from the ransomware. However, after analyzing the new ransomware, experts Fabian Wosar from Emsisoft and Michael Gillespie from ID Ransomware confirmed that the program actually belongs to Evil Corp.

The hackers saw and seized the opportunity to impersonate another group that was not sanctioned.Fabian Wosar suggested.

Let me remind you that I also wrote that Evil Corp returns to criminal activity with WastedLocker ransomware.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *