Bleeping Computer: Latest Articles Today

 

Evil Corp switches to LockBit ransomware to evade sanctions

Sergiu Gatlan

BleepingComputer |

The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets' networks to evade sanctions imposed by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC).

Active since 2007, Evil Corp (aka INDRIK SPIDER or the Dridex gang) is known for pushing the Dridex malware and later switching to the ransomware "business."

The gang started with Locky ransomware and then deployed their own ransomware strain known as BitPaymer until 2019.

Since the U.S. sanctioned them in December 2019 for using Dridex to cause over $100 million in financial damages, the group switched to installing its new WastedLocker ransomware in June 2020.

From March 2021, Evil Corp moved to another strain known as Hades ransomware, a 64-bit variant of WastedLocker upgraded with additional code obfuscation and minor feature changes.

Since then, the threat actors have also impersonated the PayloadBin hacking group and used other ransomware strains known as Macaw Locker and Phoenix CryptoLocker.

The LockBit switch

As Mandiant threat analysts have recently observed, the cybercrime gang has now made another attempt to distance themselves from known tooling to allow victims to pay ransoms without facing the risks associated with violating OFAC regulations,

An activity cluster tracked by Mandiant as UNC2165 (previously deploying Hades ransomware and linked to Evil Corp) is now deploying ransomware as a LockBit affiliate.

"Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware," Mandiant said.

"Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice."

LockBit ransomware activity (ID-Ransomware)

This new tactic of acting as a Ransomware as a Service (RaaS) operation affiliate would likely allow them to invest the time needed for ransomware development into broadening the gang's ransomware deployment operations.

Another theory is that a switch to others' malicious tools may provide Evil Corp with enough free resources to develop a new ransomware strain from scratch, making it harder for security researchers to link to the gang's previous operations.

"We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims," Mandiant concluded."

 

Latest Articles

• 
  Security

  The Week in Ransomware - June 3rd 2022 - Evading sanctions

  Ransomware gangs continue to evolve their operations as victims refuse to pay ransoms due to sanctions or other reasons.

  • Lawrence Abrams
  • June 03, 2022
  • 04:41 PM
  • 0
• 
  Security

  Novartis says no sensitive data was compromised in cyberattack

  Pharmaceutical giant Novartis says no sensitive data was compromised in a recent cyberattack by the Industrial Spy data-extortion gang.

  • Lawrence Abrams
  • June 03, 2022
  • 03:30 PM
  • 0
• 
  Security

  WatchDog hacking group launches new Docker cryptojacking campaign

  ​The WatchDog hacking group is conducting a new cryptojacking campaign with advanced techniques for intrusion, worm-like propagation, and evasion of security software.

  • Bill Toulas
  • June 03, 2022
  • 01:50 PM
  • 0 

Security, CryptoCurrency

Americans report losing over $1 billion to cryptocurrency scams

The U.S. Federal Trade Commission (FTC) says over 46,000 people Americans have reported losing more than $1 billion worth of cryptocurrency to scams between January 2021 and March 2022.

• Sergiu Gatlan
• June 03, 2022
• 01:24 PM
• 0

Security, Microsoft

Microsoft disrupts Bohrium hackers’ spear-phishing operation

The Microsoft Digital Crimes Unit (DCU) has disrupted a spear-phishing operation linked to an Iranian threat actor tracked as Bohrium that targeted customers in the U.S., Middle East, and India.

• Sergiu Gatlan
• June 03, 2022
• 11:24 AM
• 0

Security

GitLab security update fixes critical account take over flaw

GitLab has released a critical security update for multiple versions of its Community and Enterprise Edition products to address eight vulnerabilities, one of which allows account takeover.

• Bill Toulas
• June 03, 2022
• 09:55 AM
• 0

Deals, Software

Factory reset iOS devices without a password using this app deal

Restore access to locked iOS devices. Get MobiUnlock: Unleash Your Apple Device (Lifetime Subscription) for $39.95 (Reg. $69). 

• BleepingComputer Deals
• June 03, 2022
• 07:27 AM
•