Evil Corp switches to LockBit ransomware to evade sanctions

by chebbi abir

The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).

Active since 2007, Evil Corp (aka INDRIK SPIDER or the Dridex gang) is known for pushing the Dridex malware and later switching to the ransomware “business.”

The gang started with Locky ransomware and then deployed their own ransomware strain known as BitPaymer until 2019.

Since the U.S. sanctioned them in December 2019 for using Dridex to cause over $100 million in financial damages, the group switched to installing its new WastedLocker ransomware in June 2020.

From March 2021, Evil Corp moved to another strain known as Hades ransomware, a 64-bit variant of WastedLocker upgraded with additional code obfuscation and minor feature changes.

Since then, the threat actors have also impersonated the PayloadBin hacking group and used other ransomware strains known as Macaw Locker and Phoenix CryptoLocker.

The LockBit switch

As Mandiant threat analysts have recently observed, the cybercrime gang has now made another attempt to distance themselves from known tooling to allow victims to pay ransoms without facing the risks associated with violating OFAC regulations,

An activity cluster tracked by Mandiant as UNC2165 (previously deploying Hades ransomware and linked to Evil Corp) is now deploying ransomware as a LockBit affiliate.

“Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware,” Mandiant said.

“Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice.”

LockBit ransomware activity
LockBit ransomware activity (ID-Ransomware)

This new tactic of acting as a Ransomware as a Service (RaaS) operation affiliate would likely allow them to invest the time needed for ransomware development into broadening the gang’s ransomware deployment operations.


Another theory is that a switch to others’ malicious tools may provide Evil Corp with enough free resources to develop a new ransomware strain from scratch, making it harder for security researchers to link to the gang’s previous operations.

“We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims,” Mandiant concluded.

To read the original article:

Interdit de copier  ce contenu