Evil Corp has changed tactics again, this time using LockBit ransomware after US sanctions have made it difficult for the cyber-criminal group to attain financial gain from its activity, researchers have discovered.
The cyber-criminal group is now distancing itself from its former branding by changing tactics & tools once again, aiming to continue to profit from its activity.
Financially Motivated
Researchers from Mandiant Intelligence have been tracking a “financially motivated threat cluster” they are calling UNC2165, that has many overlaps with Evil Corp, & is highly likely the latest version of the group.
UNC2165 is using a mixture of the Fake Updates infection chain to gain access to target networks followed by the LockBit ransomware, researchers wrote in a report published Thur. The activity seems to represent “another evolution in Evil Corp affiliated actors’ operations,” they revealed.
“Numerous reports have highlighted the progression of linked activity including development of new ransomware families & a reduced reliance on Dridex to enable intrusions,” researchers wrote.
“Despite these apparent efforts to obscure attribution, UNC2165 has notable similarities to operations publicly attributed to Evil Corp.”
Dridex Malware
The US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Evil Corp in Dec. 2019 in a widespread crackdown on the dangerous & prolific cyber-criminal group best known for spreading the info-stealing Dridex malware & later its own Wasted Locker ransomware.
The sanctions forbid any US body from doing business or being associated with Evil Corp, effectively preventing ransomware negotiation firms from facilitating ransom payments for the group–obviously limiting its ability to profit from criminal activity.
Shapeshifting Cyber-Criminals
Evil Corp took a brief break after the sanctions & a following prosecution of its leaders, but since has hidden itself through clever rebranding to continue its activity.
Its latest gambit is not the 1st time the group used a different identity to try to avoid sanctions. About a year ago, Evil Corp tried to disguise itself by using previously unknown ransomware called PayloadBin, which researchers observed was likely a rebrand of its own ransomware, Wasted Locker, stated reports.
Before, the group resurfaced briefly soon after the OFAC sanctions were levied with new tactics to try to hide its activity, using the often-used threat tool HTML redirectors or code that uses meta refresh tags to redirect users to another website– o drop payloads through malicious Excel files.
Recent Incarnation
The recent activity from Evil Corp “almost exclusively” gains access to victims’ networks on the back of a group tracked as UNC1543, to which the use of Fake Updates has been linked, according to Mandiant. In the months before the govt’s indictments of Evil Corp, this method was used as the initial infection vector for Dridex & the BitPaymer & Doppel Paymer ransomware.
Evil Corp also is using other ransomware too, specifically Hades in its activity as UNC2165, researchers stated. “Hades has code & functional similarities to other ransomware believed to be associated with Evil Corp-affiliated threat actors,” they explained.
Natural Evolution
The use of other ransomware is a “natural evolution” for this emerging criminal group to distance itself from Evil Corp, researchers suggested.
LockBit more than Hades, especially, is a ‘good fit because of its RaaS model & rise to prominence in recent years, they outlined. LockBit has taken down some big targets itself, such as Accenture & Bangkok Air, in the last 12 months.
“Using this RaaS would allow UNC2165 to blend in with other affiliates,” researchers wrote. “Additionally, the frequent code updates & rebranding of HADES required development resources & it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice.”
Makes Sense
Since ransomware operators see their operations as other business leaders do, it makes sense that they also have to evolve to stay ahead in the market & maintain profit just like anyone, noted a security professional.
“For cyber-criminals, it’s a similar concept,” observed James McQuiggan, security awareness advocate at security firm KnowBe4, outlined. “They need to continually develop their applications & encryption to avoid detection & make money via extortion using various methods.”
Relevant
Also, it is not surprising that Evil Corp is using other ransomware to continue to stay relevant &, more importantly, get paid, he explained.
With Evil Corp hiding in the activity of other ransomware groups, targets likely will pay an extortion fee, as they would not be aware of the govt. sanctions against the true perpetrators of the crime, McQuiggan concluded.