Evil Corp switches to LockBit ransomware to evade sanctions
The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets' networks to evade sanctions imposed by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC).
Active since 2007, Evil Corp (aka INDRIK SPIDER or the Dridex gang) is known for pushing the Dridex malware and later switching to the ransomware "business."
The gang started with Locky ransomware and then deployed their own ransomware strain known as BitPaymer until 2019.
Since the U.S. sanctioned them in December 2019 for using Dridex to cause over $100 million in financial damages, the group switched to installing its new WastedLocker ransomware in June 2020.
From March 2021, Evil Corp moved to another strain known as Hades ransomware, a 64-bit variant of WastedLocker upgraded with additional code obfuscation and minor feature changes.
Since then, the threat actors have also impersonated the PayloadBin hacking group and used other ransomware strains known as Macaw Locker and Phoenix CryptoLocker.
The LockBit switch
As Mandiant threat analysts have recently observed, the cybercrime gang has now made another attempt to distance themselves from known tooling to allow victims to pay ransoms without facing the risks associated with violating OFAC regulations,
An activity cluster tracked by Mandiant as UNC2165 (previously deploying Hades ransomware and linked to Evil Corp) is now deploying ransomware as a LockBit affiliate.
"Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware," Mandiant said.
"Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice."
This new tactic of acting as a Ransomware as a Service (RaaS) operation affiliate would likely allow them to invest the time needed for ransomware development into broadening the gang's ransomware deployment operations.
Another theory is that a switch to others' malicious tools may provide Evil Corp with enough free resources to develop a new ransomware strain from scratch, making it harder for security researchers to link to the gang's previous operations.
"We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims," Mandiant concluded."
-
The Week in Ransomware - June 3rd 2022 - Evading sanctions
Ransomware gangs continue to evolve their operations as victims refuse to pay ransoms due to sanctions or other reasons.
- June 03, 2022
- 04:41 PM
- 0
-
Novartis says no sensitive data was compromised in cyberattack
Pharmaceutical giant Novartis says no sensitive data was compromised in a recent cyberattack by the Industrial Spy data-extortion gang.
- June 03, 2022
- 03:30 PM
- 0
-
WatchDog hacking group launches new Docker cryptojacking campaign
The WatchDog hacking group is conducting a new cryptojacking campaign with advanced techniques for intrusion, worm-like propagation, and evasion of security software.
- June 03, 2022
- 01:50 PM
- 0
Americans report losing over $1 billion to cryptocurrency scams
The U.S. Federal Trade Commission (FTC) says over 46,000 people Americans have reported losing more than $1 billion worth of cryptocurrency to scams between January 2021 and March 2022.
- June 03, 2022
- 01:24 PM
- 0
Microsoft disrupts Bohrium hackers’ spear-phishing operation
The Microsoft Digital Crimes Unit (DCU) has disrupted a spear-phishing operation linked to an Iranian threat actor tracked as Bohrium that targeted customers in the U.S., Middle East, and India.
- June 03, 2022
- 11:24 AM
- 0
GitLab security update fixes critical account take over flaw
GitLab has released a critical security update for multiple versions of its Community and Enterprise Edition products to address eight vulnerabilities, one of which allows account takeover.
- June 03, 2022
- 09:55 AM
- 0
Factory reset iOS devices without a password using this app deal
Restore access to locked iOS devices. Get MobiUnlock: Unleash Your Apple Device (Lifetime Subscription) for $39.95 (Reg. $69).
No comments:
Post a Comment