Security News > 2022 > June > Even Russia's Evil Corp now favors software-as-a-service

The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

Evil Corp - which made its bones targeting the financial sector with the Dridex malware it developed - is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

The US Treasury Department, through its Office of Foreign Assets Control, in December 2019 sanctioned Evil Corp over its development and use of Dridex, claiming the group used the malware to infect systems and steal login credentials from hundreds of financial institutions in more than 40 countries and swipe more than $100 million.

LockBit, through its nature as a RaaS, has been associated with multiple threat groups and ransomware attacks, and could be seen by Evil Corp members as a way of getting around the US sanctions.

Analysts with cybersecurity firm Emsisoft in December 2021 said they suspected that a ransomware infection in which the REvil name came up numerous times throughout likely was the work of Evil Corp. A group called Grief Corp - believed by the Treasury Department to be a rebranded Evil Corp - was accused of being behind ransomware thrown at the NRA and Sinclair Broadcast Group late last year.

Whatever the reason, the moves by Evil Corp over the past two years suggest the use of sanctions may be an effective way to fight back against the rising tide of ransomware, particularly when they include both the threat group and those organizations that facilitate the payments, the researchers wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/03/evil-corp-ransomware-sanctions/