Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Evil by a Different Name: Crime Gang Rebrands Ransomware

WastedLocker Ransomware From Evil Corp Disguised as PayloadBin to Avoid Sanctions
Evil by a Different Name: Crime Gang Rebrands Ransomware
Evil Corp has allegedly camouflaged its WastedLocker malware as the Babuk gang's Payload.bin (Source: MalwareHunterTeam)

If you're a high-earning Russian cybercrime gang, but feeling the heat after being sanctioned by the U.S. government, why not rebrand?

See Also: 5 Requirements for Modern DLP

So goes an apparent move by the notorious Evil Corp to co-opt the name of a rival gang's ransomware, as Bleeping Computer first reported.

Security experts have been tracking how Evil Corp, which the U.S. Treasury Department’s Office of Foreign Assets Control sanctioned in December 2019, continues to evolve.

Recently, Evil Corp appears to have rebranded its WastedLocker ransomware - aka PhoenixLocker and Hades - as PayloadBin, which is run by a different gang called Babuk, says Fabian Wosar, CTO of security firm Emsisoft. But the executable being used by Evil Corp is still a version of WastedLocker, Wosar says.

Accordingly, the "rebranding" move is likely "an attempt to trick victims into violating OFAC regulations," he says.

The move follows the Babuk gang in May announcing the development of a dedicated data leak site, which it recently debuted under the name Payload.bin, according to the MalwareHunterTeam group of researchers.

The Rise of Evil Corp

One surprise with Evil Corp is the operation's longevity. The crime gang began life in 2011, with ties to the Zeus banking Trojan operation, and later developed its own banking malware called Dridex.

The FBI says Dridex was used to steal more than $100 million from hundreds of banks across 40 countries. Subsequently, the malware was also being used as a loader, to install BitPaymer ransomware on victims' systems.

In December 2019, a U.S. grand jury indicted two Russian nationals - Maksim Yakubets and Igor Turashev - for allegedly running Evil Corp.

After having helped launder money and assist the GameOver/Zeus botnet and malware operation, Yakubets was serving "as Evil Corp's leader and is response for managing the group's malicious cyber activities," the Treasury Department said at the time. Announcing a $5 million reward for information leading to his capture, it added that since at least 2017, Yukabets had been working for Russia's Federal Security Service, known as the FSB, which it had previously sanctioned for attacks against U.S. targets.

The FBI’s most wanted poster for Maksim Yakubets

Turashev, meanwhile, allegedly "was involved in helping Evil Corp exploit victims’ networks," including running the Dridex malware operation, the Treasury Department said.

Both men remain at large.

By June 2020, Evil Corp appeared to have retooled, debuting new crypto-locking malware called WastedLocker, which was demanding ransom payments of $500,000 to $1 million per infection. At least at that time, security experts said the operation - unlike most other ransomware gangs - wasn't stealing and leaking data to try and force victims to pay. In the following months, the gang racked up a number of victims, including publicly traded companies and newspapers.

Sanctions Reminder

But since 2019, any WastedLocker victims who pay Evil Corp any ransom money do so at their OFAC-violating peril.

In October 2020, the Treasury Department issued a reminder that any organization or individual, anywhere in the world, who paid a ransom to Evil Corp would be violating OFAC sanctions. While officials didn't say what action they might take against sanctions-breakers, the warning was clear: Pay sanctioned criminals, and the U.S. government will come after you.

Experts say that all reputable insurers, incident response firms and ransomware negotiators will not engage with any individual or organization on the OFAC sanctions list, for example, to negotiate ransom payments in return for the promise of a decryption key or pledge to delete stolen data.

In November 2020, for example, ransomware incident response firm Coveware said that it had blacklisted the DarkSide ransomware operation, placing it on a list of gangs with which it would not engage, after DarkSide said it would be using servers based in Iran to make its infrastructure more difficult for Western law enforcement agencies to disrupt. But by contracting with Iranian entities, DarkSide itself would be violating OFAC sanctions.

DarkSide responded with a furious-sounding press release, alleging that it did not use any Iranian services.

Apparently, business continued relatively unimpeded for the group, at least until it received $4.4 million from East Coast fuel supplier Colonial Pipeline Co. In the wake of the political fallout from that attack, the group suggested it might curtail its operations, with experts predicting the ransomware-as-a-service operation would soon resurface under a different name (see: Ransomware Gangs 'Playing Games' With Victims and Public).

As the White House moves to more forcefully disrupt ransomware operations and deter ransomware gang members from making a profit, it's a fair bet that whoever is running DarkSide - among other crime gangs - may soon be outed and join Evil Corp on the list of sanctioned entities and individuals.

To try and avoid U.S. sanctions deterring victims from paying them, these gangs will have to do a lot more than just rename their malware.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.