Operators of new ransomware PayloadBIN, linked to the cybercriminal group Evil Corp, are trying to avoid sanctions imposed by the Office of Foreign Assets Control of the US Treasury Department (OFAC).Members of Evil Corp (also known as Indrik Spider and Dridex) started out as partners with the ZeuS botnet operators. Over time, Evil Corp formed its own group that focused on distributing a banking Trojan called Dridex via phishing emails.
When the gangs began to move towards high-yield ransomware attacks, Evil Corp used BitPaymer ransomware, which was spread by the Dridex malware to compromised corporate networks.
Following sanctions by the U.S. government in 2019, firms negotiating with ransomware operators refused to pay ransoms for Evil Corp’s attacks to avoid fines or lawsuits from the U.S. Treasury Department. Evil Corp has begun renaming its ransomware campaigns to Hades and Phoenix in an effort to bypass these sanctions.
Recall that at the end of April this year, Babuk operators announced the termination of their activities. However, two weeks later, the hackers reminded about themselves, presenting a new project, Payload Bin.
BleepingComputer discovered a new sample of ransomware called PayloadBIN on VirusTotal and initially suggested that the malware was related to the Babuk Locker rebranding. Once installed, the ransomware adds the .PAYLOADBIN extension to the encrypted files. In addition, the ransom note is called PAYLOADBIN-README.txt and informs the victim that “the networks have been BLOCKED using the PAYLOADBIN ransomware.”
Babuk allegedly lied about its intentions to refuse from the ransomware. However, after analyzing the new ransomware, experts Fabian Wosar from Emsisoft and Michael Gillespie from ID Ransomware confirmed that the program actually belongs to Evil Corp.
Let me remind you that I also wrote that Evil Corp returns to criminal activity with WastedLocker ransomware.