Fox-IT experts talked about the latest activity of the famous hacker group Evil Corp. According to analysts, the group came back to life in January of this year and conducted several malicious campaigns, and then completely resumed activity with new tools – such as the WastedLocker ransomware.Let me remind you that the Evil Corp group is called one of the most active and arrogant among cybercriminals. For information about its members, the US government has established a reward of $5 million, and the media often discuss rumors about their luxurious lifestyle and possible connections with Russian special services.
Evil Corp, also known as Dridex, has been active since about 2007, when several hackers previously associated with the ZeuS banking trojan decided to try their luck at spreading malware.
“At first, the group focused on distributing the Cridex banking trojan, which later turned into the Dridex banker, and even later into the multi-purpose malicious Dridex toolkit”, – said Fox-IT experts.
Thanks to Dridex, one of the largest botnets for distributing malware and spam was at the disposal of the group. This way Evil Corp distributed both its own malware and malware for other criminal groups, as well as custom spam messages.
In 2016, the group also began distributing ransomware, starting with Locky. However, as the ransomware’s focus began to shift from home consumers to corporate goals, Evil Corp also turned to situation and created a new extortionist BitPaymer ransomware.
“Evil Corp used its gigantic botnet from Dridex-infected devices to search for corporate networks, and then deployed BitPaymer to the networks of the largest enterprises that they could find”, — Fox-IT researchers tell the story of Evil Corp.
BitPaymer was actively used between 2017 and 2019, but then the attacks gradually began to stop. The reasons for this decline are still unclear, but it could be due to the fact that the Dridex botnet also “slowed down” between 2017 and 2019.
Fox-IT writes that this decline in group activity ended after U.S. Department of Justice allegations in absentia against Evil Corp members in December 2019. After that, the hackers were silent for almost a month, until January 2020, but then they resumed activity and conducted several malicious campaigns, mainly for other scammers.
In the spring of 2020, Evil Corp again “came back to life” and this time with new tools. According to researchers, the group developed a new WastedLocker ransomware to replace the obsolete BitPaymer, which has been used since the beginning of 2017.
According to the researchers, this malware was written from scratch, and the analysis of the new ransomware showed almost no signs of code reuse and other similarities between BitPaymer and WastedLocker. Some parallels can be seen only in the text of the ransom note.
Fox-IT experts track the use of WastedLocker since May 2020. According to them, so far the ransomware has been used exclusively against American companies, and the amount of ransoms that Evil Corp requires from the victims now amounts to millions of dollars. For example, researchers know a case where hackers requested $10,000,000 from a company. Based on data from VirusTotal, analysts say that WastedLocker has been used as intended at least five times.
“Evil Corp’s operators are very aggressive in deploying the new WastedLocker ransomware: they typically attack file servers, database services, virtual machines, and cloud environments. The group also seeks to disrupt the operation of backup applications and related infrastructure, that is, in every way makes it difficult to recover information for affected companies”, – said Fox-IT experts.
At the same time, Evil Corp is not doing what is now in trend among other extortion groups: WastedLocker is not able to steal data before encrypting it. Let me remind you that currently 10 of 15 hacker groups infect company networks, steal confidential data, and only after that encrypt files, and also threaten to publish stolen data in the public domain (on their own sites or file sharing sites).
Similar tactics, for example, use the Sodinokibi group (REvil).
So far, Evil Corp has not done anything like this, and Fox-IT experts believe this is a well-informed decision. The fact is that the “damp” of stolen data usually attracts a lot of media attention, which Evil Corp members would probably like to avoid, because some members of the group are already on the list of the most wanted FBI criminals.