Evil Corp, based in Russia, is jumping from one strain of malware to another in hopes of evading sanctions imposed by the US government in 2019.
You might be wondering why cyber extortionists in Putin’s country are giving US sanctions a bit of a hard time: From what we understand, sanctions mean that anyone who does business with a gang or handles transactions for a gang will facing the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group must change its appearance and operations to continue generating revenue.
As such, Evil Corp – which has a track record of targeting the financial industry with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently LockBit ransomware as a service, to jam leads and make it easier to get the ransoms they demand from paid victims, according to a report this week from Mandiant.
The US Treasury Department, through its Office of Foreign Assets Control (OFAC), in December 2019 sanctioned Evil Corp on its development and use of Dridex, claiming the group used the malware to infect the systems and steal the login credentials of hundreds of financial institutions in over 40 countries and steal over $100 million.
Those sanctions, according to the Treasury, prohibited U.S. persons “from engaging in transactions” with Evil Corp, and “foreign persons may be subject to secondary sanctions for knowingly facilitating a material transaction or transactions” with the Evil Corp. gang. This would make collecting the ransoms a little trickier, as the world has been warned not to help the group.
The US government has also charged two members of Evil Corp and is offering a $5 million reward for information about them. OFAC in October 2020 upped the ante by releasing a advisory [PDF] on the possibility of imposing sanctions not only on ransomware authors, but also on organizations that facilitate payments, including financial institutions, cryptocurrency exchanges, cyberinsurance companies and companies involved in digital forensics and incident response.
Since then, “actors affiliated with Evil Corp appear to have continually changed the ransomware they use,” the researchers wrote. Particularly after the 2020 notice, “there has been a stoppage of [Evil Corp-attributed] WastedLocker activity and the emergence of several closely related ransomware variants in relatively quick succession. These developments suggest that actors have struggled to receive ransom payments following their ransomware’s public association with Evil Corp.”
Since the sanctions hit, they have also used other ransomware variants including Macaw Locker.
In recent years, Mandiant researchers have tracked UNC2165, a financially motivated group they say has “extensive overlap” with Evil Corp. UNC2165 almost always uses the FakeUpdate chain of infection to gain access to targeted networks and has deployed Hades ransomware in some attacks. Evil Corp has been associated with both WastedLocker and Hades and has also used FakeUpdate extensively.
UNC2165 also allegedly used Beacon payloads and a command-and-control (C2) server that other information security companies have linked to suspected Evil Corp activity, according to Mandiant.
“Based on the overlap between UNC2165 and Evil Corp, we assess with great confidence that these actors have moved away from using proprietary ransomware variants for LockBit – a well-known ransomware-as-a-service (RaaS) – in their operations, likely to impede attribution efforts to evade sanctions,” Mandiant threat hunters wrote. “UNC2165 activity likely represents another development in the operations of Evil Corp-affiliated actors.”
RaaS is a growing model in the world of cybercrime, with developers making their malware available to others for a price, allowing less technically skilled malicious actors to launch sophisticated ransomware attacks. LockBit, by its RaaS nature, has been associated with multiple threat groups and ransomware attacks, and could be seen by members of Evil Corp as a way to circumvent US sanctions.
The group may also have used the name from another notorious ransomware group, REvil. Analysts at cybersecurity firm Emsisoft in December 2021 said they suspected a ransomware infection in which the name REvil appeared repeatedly throughout was likely the work of Evil Corp.
A group called Grief Corp – considered by the Treasury Department to be a rebranded Evil Corp – has been accused of being behind ransomware launched against the NRA and Sinclair Broadcast Group late last year.
For James McQuiggan, security awareness advocate at infosec training firm KnowBe4, what Evil Corp is doing — including modifying their tactics and tools — makes sense given how many of these cybercrime gangs operate. essentially as a business, as data leaked earlier this year from Conti showed.
“Like any business model for organizations, they need to evolve over time to stay ahead of the market and sustain profits,” McQuiggan said. The register in an email. “For cybercriminals, it’s a similar concept. They have to continually develop their applications and encryption to avoid detection and make money through extortion using various methods.”
Even if sanctions against these groups and cryptocurrency exchanges make it difficult to pay, “they will continue to target American organizations,” he said. “It is expected that the targeted organizations will be unaware of these sanctions and will attempt to pay anyway. Additionally, any exploited pressure the organization feels will compel them to find another way to pay the ransom.”
The Mandiant team said the UNC2165 group may have several reasons for adopting existing ransomware – especially popular software like LockBit – rather than using their own, including to further disguise their Evil Corp affiliation by blending in with other affiliates. LockBit could also be a more cost-effective alternative, and adopting RaaS could allow the group to spend its resources elsewhere, including expanding its ransomware deployment operations.
Whatever the reason, the actions taken by Evil Corp over the past two years suggest that the use of penalties can be an effective way to combat the rising tide of ransomware, especially when it includes both the threatening group and the organizations that facilitate the payments, the researchers wrote.
“We expect these actors, as well as others who will be sanctioned in the future, to take steps like these to conceal their identities to ensure that [sanctions are] not a limiting factor in receiving payments from victims,” they said. ®