A Russian-based cybercriminal group known as Evil Corp has adopted a ransomware-as-a-service model to circumvent U.S. sanctions, according to a study by a cybersecurity firm. Mandiant.
The U.S. Treasury Department’s Office of Foreign Assets Control, or OFAC, sanctioned Evil Corp in December 2019, citing extensive development by the Dridex malware groupthrough which the gang stole over $100 million from hundreds of banks and financial institutions.
Since then, Mandiant researchers have observed a number of ransomware intrusions attributed to a threat actor they tracked as an as yet unclassified threat group dubbed UNC2165, which the threat intelligence firm says has “numerous matches” to Evil Corp and is likely , represents another evolution of the Evil Corp-related operations of the actors.
UNC2165 is a group that Mandiant has been tracking since 2019 that almost exclusively gains access to networks through a chain of infection that Mandiant calls “FakeUpdates” where victims are tricked into opening under the guise of a browser update. This tactic was also used as a Dridex infection vector and was later used by evil corp attackers to deploy BitPaymer and WastedLocker, two ransomware variants developed by a sanctioned hacker group.
UNC2165 also deployed Hades ransomware, whose code and functionality are similar to other ransomware believed to be linked to Evil Corp-affiliated threat actors. Similarly, Mandiant researchers also found overlaps in the infrastructure, adding that command and control servers with the UNC2165 attribute have also been publicly reported by other security vendors in connection with the alleged activities of Evil Corp.
Mandiant says it also observed the attacker using LockBit, a known extortion-as-a-service operation that allows the attacker to merge with other affiliates. While this isn’t the first time we’ve seen Evil Corp change its tactics to avoid sanctions, Mandiant notes that the move to ransomware as a service effectively hides other criminal parties who may have targeted and carried it out. . an intrusion that allows hackers to use the model to perform their operations anonymously.
“Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these entities have moved from using exclusive ransomware variants to LockBit in their operations, which could hinder attribution efforts to evade sanctions,” the report says. . “The introduction of existing ransomware is a natural evolution of UNC2165, which is trying to hide its affiliation with Evil Corp. Its implementation could also temporarily give participants more time to develop entirely new ransomware from scratch, limiting the ability of security researchers to easily link them. to previous Evil Corp operations.”
News about the next evolution of the Evil Corporation appeared just a few days after defunct REvil ransomware gang — which has been linked in the past to activities attributed to Evil Corp — claimed responsibility for a distributed denial-of-service campaign against a client of cloud provider Akamai. However, the researchers said it is highly likely that the attack is not a resurgence of the infamous cybercriminal group, but rather a copycat operation.
Credit: techcrunch.com /