The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
Active since 2007, Evil Corp (aka INDRIK SPIDER or the Dridex gang) is known for pushing the Dridex malware and later switching to the ransomware “business.”
The gang started with Locky ransomware and then deployed their own ransomware strain known as BitPaymer until 2019.
An activity cluster tracked by Mandiant as UNC2165 (previously deploying Hades ransomware and linked to Evil Corp) is now deploying ransomware as a LockBit affiliate.
“Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware,” Mandiant said.
“Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice.”
This new tactic of acting as a Ransomware as a Service (RaaS) operation affiliate would likely allow them to invest the time needed for ransomware development into broadening the gang’s ransomware deployment operations.
Another theory is that a switch to others’ malicious tools may provide Evil Corp with enough free resources to develop a new ransomware strain from scratch, making it harder for security researchers to link to the gang’s previous operations.
“We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims,” Mandiant concluded.