The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.
You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.
As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.
The US Treasury Department, through its Office of Foreign Assets Control (OFAC), in December 2019 sanctioned Evil Corp over its development and use of Dridex, claiming the group used the malware to infect systems and steal login credentials from hundreds of financial institutions in more than 40 countries and swipe more than $100 million.
Those sanctions, according to the Treasury, banned US persons “from engaging in transactions” with Evil Corp, and “foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions” with the gang. That would make collecting ransoms a little more tricky, as the world has been warned off from aiding the group.
The US government also charged two Evil Corp members and is offering a $5 million reward for information on them. OFAC in October 2020 upped the ante, releasing an advisory [PDF] on the potential for issuing sanctions against not only ransomware perpetrators but also organizations that facilitate payments, including financial institutions, cryptocurrency exchanges, cyber insurance firms, and companies involved in digital forensics and incident response.
Since then, “Evil Corp-affiliated actors appear to have continuously changed the ransomware they use,” the researchers wrote. Particularly after the 2020 advisory, “there was a cessation of [Evil Corp-attributed] WastedLocker activity and the emergence of multiple closely related ransomware variants in relatively quick succession. These developments suggested that the actors faced challenges in receiving ransom payments following their ransomware’s public association with Evil Corp.”
Since the sanctions hit, they also used other ransomware variants, including Macaw Locker.
Mandiant researchers in recent years have been tracking UNC2165, a financially motivated group they say have “numerous overlaps” with Evil Corp. UNC2165 almost always uses the FakeUpdate infection chain to get access into targeted networks and has deployed Hades ransomware in some attacks. Evil Corp has been associated with both WastedLocker and Hades and also has heavily used FakeUpdate.
UNC2165 also reportedly has used Beacon payloads and a command-and-control (C2) server other information security firms have linked to suspected Evil Corp activity, according to Mandiant.
“Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using exclusive ransomware variants to LockBit – a well-known ransomware-as-a-service (RaaS) – in their operations, likely to hinder attribution efforts in order to evade sanctions,” the Mandiant threat hunters wrote. “UNC2165 activity likely represents another evolution in Evil Corp affiliated actors’ operations.”
RaaS is a growing model in the cybercrime world, with developers making their malware available to others for a price, enabling less-technically skilled bad actors to launch sophisticated ransomware attacks. LockBit, through its nature as a RaaS, has been associated with multiple threat groups and ransomware attacks, and could be seen by Evil Corp members as a way of getting around the US sanctions.
The group also may have used the name of another notorious ransomware group, REvil. Analysts with cybersecurity firm Emsisoft in December 2021 said they suspected that a ransomware infection in which the REvil name came up numerous times throughout likely was the work of Evil Corp.
To James McQuiggan, security awareness advocate at infosec training company KnowBe4, what Evil Corp is doing – including changing their tactics and tools – makes sense given that many of these cybercrime gangs essentially run like a business, as the data leaks earlier this year from Conti showed.
“Like any business model for organizations, they have to evolve with the times to stay ahead in the market and maintain profit,” McQuiggan told The Register in an email. “For cybercriminals, it’s a similar concept. They need to continually develop their applications and encryption to avoid detection and make money via extortion using various methods.”
Even though sanctions against such groups and cryptocurrency exchanges make it difficult to get paid, “they will continue to target US organizations,” he said. “The anticipation is that the targeted organizations may be unaware of those sanctions and will still attempt to pay. Additionally, any exploited pressure that the organization is feeling will compel them to find another way to pay the ransom.”
The Mandiant team said there could be multiple reasons for the UNC2165 group to adopt existing ransomware – particularly a popular one like LockBit – rather than using its own, including to further obscure their affiliation to Evil Corp by blending in with other affiliates. LockBit also could just be a more cost-effective alternative and adopting RaaS could allow the group to spend its resources elsewhere, including expanding their ransomware deployment operations.
Whatever the reason, the moves by Evil Corp over the past two years suggest the use of sanctions may be an effective way to fight back against the rising tide of ransomware, particularly when they include both the threat group and those organizations that facilitate the payments, the researchers wrote.
“We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that [sanctions are] not a limiting factor to receiving payments from victims,” they opined. ®