Evil Corp Hacker Group Changes Ransomware Tactics to Evade US Sanctions

  • Russian hacker group Evil Corp has reportedly updated its attack methods to avoid sanctions prohibiting US companies from paying it a ransom.

    The shift was reported by threat intelligence firm Mandiant, who recently wrote a blog post attributing a series of Lockbit ransomware intrusions to UNC2165, a threat cluster sharing numerous overlaps with Evil Corp.

    UNC2165 was sanctioned by the US Treasury Department in 2019 for using the Dridex malware to infect hundreds of banks and financial institutions across 40 countries and stealing more than $10m.

    From a regulatory standpoint, these sanctions essentially prevented targeted organizations from paying UNC2165 a ransom to restore access to their systems.

    “These sanctions have had a direct impact on threat actor operations, particularly as at least some companies involved in ransomware remediation activities, such as negotiation, refuse to facilitate payments to known sanctioned entities,” wrote Mandiant.

    “This can ultimately reduce threat actors’ ability to be paid by victims, which is the primary driver of ransomware operations.”

    At the same time, to hide evidence of the group’s involvement (so that compromised firms were more likely to pay the ransom), Evil Corp/UNC2165 has reportedly changed tactics over the last couple of years, switching from the WastedLocker to the Hades ransomware.

    According to Mandiant, the hacking group would have changed tactics once again and started utilizing the ransomware-as-a-service (RaaS) known as Lockbit from early 2021.

    “The adoption of an existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp,” wrote the threat intelligence company.

    “Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware.”

    Mandiant concluded their post by suggesting that the actors behind UNC2165 operations may continue to take additional steps to distance themselves from the Evil Corp name in the future.

    “We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims.”