Evil Corp hackers evolve ransomware tactics to dodge US sanctions

The Russia-based cybercriminal group known as Evil Corp has shifted to a ransomware-as-a-service model in an effort to skirt U.S. sanctions, according to research from cybersecurity firm Mandiant.

The U.S. Treasury’s Office of Foreign Assets Control, or OFAC, sanctioned Evil Corp in December 2019, citing the group’s extensive development of Dridex malware, which the gang used to steal more than $100 million from hundreds of banks and financial institutions.

Since, Mandiant researchers have observed a number of ransomware intrusions attributed to a threat actor which it tracked as an as-of-yet uncategorized threat group dubbed UNC2165, which the threat intelligence firm says shares “numerous overlaps” with Evil Corp and likely represents another evolution in Evil Corp affiliated actors’ operations.

UNC2165 is a group that Mandiant has tracked since 2019, which almost-exclusively obtains access to networks through an infection chain which Mandiant calls “FakeUpdates,” in which victims are tricked into opening under the guise of a browser update. This was a tactic also used as an infection vector for Dridex infections and was later used by Evil Corp attackers to deploy BitPaymer and WastedLocker, two ransomware variants developed by the sanctioned hacking group.

UNC2165 has also deployed the Hades ransomware, which has code and functional similarities to other ransomware believed to be associated with Evil Corp-affiliated threat actors. Similarly, Mandiant researchers also found overlaps in infrastructure, adding that UNC2165-attributed command and control servers have also been publicly reported by other security vendors in association with suspected Evil Corp activity.

Mandiant says it has also observed the threat actor using LockBit, a prominent ransomware-as-a-service operation, enabling the threat actor to blend in with other affiliates. While this isn’t the first time we’ve seen Evil Corp shift its tactics to avoid sanctions, Mandiant notes that moving toward a ransomware-as-a-service model effectively conceals the other criminal parties who may have selected the target and carried out the intrusion, allowing the hackers to take advantage of the model to carry out their operations in anonymity.

“Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using exclusive ransomware variants to LockBit in their operations, likely to hinder attribution efforts in order to evade sanctions,” said the report. “The adoption of existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp. Its adoption could also temporarily afford the actors more time to develop completely new ransomware from scratch, limiting the ability of security researchers to easily tie it to previous Evil Corp operations.”

News of another evolution of Evil Corp comes just days after the defunct REvil ransomware gang — which has in the past been linked to activity attributed to Evil Corp — claimed responsibility for a distributed denial-of-service campaign against a customer of cloud networking provider Akamai. However, researchers said it is highly possible the attack is not a resurgence of the infamous cybercriminal group but rather a copycat operation.