Evil Corp Switched to Using LockBit Malware to Avoid Sanctions

Evil Corp switched to LockBit

The Evil Corp group switched to using the LockBit ransomware to avoid sanctions imposed earlier by the Office of Foreign Assets Control of the US Department of the Treasury (OFAC).

Let me remind you that Evil Corp has existed since at least 2007, but at first hackers more often acted as partners for other groups. It was only later that Evil Corp began to focus on its own attacks, creating the well-known banking Trojan Dridex. Over time, when it became a ransomware, attacks became more profitable, and Evil Corp launched its own BitPaymer ransomware, delivering it to victims’ machines via Dridex. The latter gradually evolved from an ordinary banker into a complex and multifunctional tool.

All this led to the fact that in 2019 the US authorities filed charges against two Russians who, according to law enforcement officers, were behind the development of the Dridex malware and other malicious operations. Also, the US authorities imposed sanctions on 24 organizations and individuals associated with Evil Corp and the mentioned suspects. As a result, the negotiating companies, which usually negotiate with extortionists to pay a ransom and decrypt the data, refused to “work” with Evil Corp in order to avoid fines and lawsuits from the US Department of the Treasury. And it became much more difficult for the victims themselves to pay the ransom.

After that, in June 2020, Evil Corp switched to using the WastedLocker malware, in 2021 the Hades ransomware appeared (a 64-bit version of WastedLocker, updated with additional code obfuscation and a number of functions), and then the group has already carried out several “rebrands” and impersonated for the PayloadBin grouping and used other ransomware: Macaw and Phoenix.

Evil Corp switched to LockBit

Now, Mandiant analysts noticed that criminals have made a new attempt to distance themselves from hacking tools known to experts so that their victims can pay ransoms without violating OFAC rules.

The activity cluster, which Mandiant tracks as UNC2165, previously deploying the Hades ransomware and associated with Evil Corp, is now “partnering” with the developers of the LockBit ransomware.

Using this RaaS allows UNC2165 to merge with other LockBit affiliates. [Now] to establish the correct attribution, you need to observe the earlier stages of attacks, compared to their previous operations, which could be associated with [Evil Corp] through the use of exclusive ransomware. In addition, frequent code updates and rebranding of HADES required development resources, and it is likely that UNC2165 believes that using LOCKBIT is a more cost-effective choice.the researchers say.

It is assumed that the new tactics will allow hackers to spend the time saved on developing their own malware to expand operations.

Experts also offer another theory: it is likely that the transition to other people’s malicious tools will help Evil Corp free up enough of its own resources to develop a new ransomware from scratch, which can subsequently seriously complicate tracking the new operations of the hack group.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.