Even Russia's Evil Corp now favors software-as-a-service

Albeit to avoid US sanctions hitting it in the wallet

The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

The US Treasury Department, through its Office of Foreign Assets Control (OFAC), in December 2019 sanctioned Evil Corp over its development and use of Dridex, claiming the group used the malware to infect systems and steal login credentials from hundreds of financial institutions in more than 40 countries and swipe more than $100 million.

Those sanctions, according to the Treasury, banned US persons "from engaging in transactions" with Evil Corp, and "foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions" with the gang. That would make collecting ransoms a little more tricky, as the world has been warned off from aiding the group.

The US government also charged two Evil Corp members and is offering a $5 million reward for information on them. OFAC in October 2020 upped the ante, releasing an advisory [PDF] on the potential for issuing sanctions against not only ransomware perpetrators but also organizations that facilitate payments, including financial institutions, cryptocurrency exchanges, cyber insurance firms, and companies involved in digital forensics and incident response.

Since then, "Evil Corp-affiliated actors appear to have continuously changed the ransomware they use," the researchers wrote. Particularly after the 2020 advisory, "there was a cessation of [Evil Corp-attributed] WastedLocker activity and the emergence of multiple closely related ransomware variants in relatively quick succession. These developments suggested that the actors faced challenges in receiving ransom payments following their ransomware's public association with Evil Corp."

Since the sanctions hit, they also used other ransomware variants, including Macaw Locker.

Mandiant researchers in recent years have been tracking UNC2165, a financially motivated group they say have "numerous overlaps" with Evil Corp. UNC2165 almost always uses the FakeUpdate infection chain to get access into targeted networks and has deployed Hades ransomware in some attacks. Evil Corp has been associated with both WastedLocker and Hades and also has heavily used FakeUpdate.

UNC2165 also reportedly has used Beacon payloads and a command-and-control (C2) server other information security firms have linked to suspected Evil Corp activity, according to Mandiant.

"Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using exclusive ransomware variants to LockBit – a well-known ransomware-as-a-service (RaaS) – in their operations, likely to hinder attribution efforts in order to evade sanctions," the Mandiant threat hunters wrote. "UNC2165 activity likely represents another evolution in Evil Corp affiliated actors' operations."

RaaS is a growing model in the cybercrime world, with developers making their malware available to others for a price, enabling less-technically skilled bad actors to launch sophisticated ransomware attacks. LockBit, through its nature as a RaaS, has been associated with multiple threat groups and ransomware attacks, and could be seen by Evil Corp members as a way of getting around the US sanctions.

The group also may have used the name of another notorious ransomware group, REvil. Analysts with cybersecurity firm Emsisoft in December 2021 said they suspected that a ransomware infection in which the REvil name came up numerous times throughout likely was the work of Evil Corp.

A group called Grief Corp – believed by the Treasury Department to be a rebranded Evil Corp – was accused of being behind ransomware thrown at the NRA and Sinclair Broadcast Group late last year.

To James McQuiggan, security awareness advocate at infosec training company KnowBe4, what Evil Corp is doing – including changing their tactics and tools – makes sense given that many of these cybercrime gangs essentially run like a business, as the data leaks earlier this year from Conti showed.

"Like any business model for organizations, they have to evolve with the times to stay ahead in the market and maintain profit," McQuiggan told The Register in an email. "For cybercriminals, it's a similar concept. They need to continually develop their applications and encryption to avoid detection and make money via extortion using various methods."

Even though sanctions against such groups and cryptocurrency exchanges make it difficult to get paid, "they will continue to target US organizations," he said. "The anticipation is that the targeted organizations may be unaware of those sanctions and will still attempt to pay. Additionally, any exploited pressure that the organization is feeling will compel them to find another way to pay the ransom."

The Mandiant team said there could be multiple reasons for the UNC2165 group to adopt existing ransomware – particularly a popular one like LockBit – rather than using its own, including to further obscure their affiliation to Evil Corp by blending in with other affiliates. LockBit also could just be a more cost-effective alternative and adopting RaaS could allow the group to spend its resources elsewhere, including expanding their ransomware deployment operations.

Whatever the reason, the moves by Evil Corp over the past two years suggest the use of sanctions may be an effective way to fight back against the rising tide of ransomware, particularly when they include both the threat group and those organizations that facilitate the payments, the researchers wrote.

"We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that [sanctions are] not a limiting factor to receiving payments from victims," they opined. ®

Broader topics

Other stories you might like

  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Crypto sleuths pin $100 million Harmony theft on Lazarus Group
    Elliptic points to several indicators that suggest the North Korea-linked gang was behind the hack

    Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.

    Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.

    According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.

    Continue reading

Biting the hand that feeds IT © 1998–2022