Evil Corp Pivots LockBit to Dodge U.S. Sanctions

Evil Corp has shifted tactics once again, this time pivoting to LockBit ransomware after U.S. sanctions have made it difficult for the cybercriminal group to reap financial gain from its activity, researchers have found.

Researchers from Mandiant Intelligence have been tracking a “financially motivated threat cluster” they’re calling UNC2165 that has numerous overlaps with Evil Corp and is highly likely the latest incarnation of the group.

UNC2165 is using a combination of the FakeUpdates infection chain to gain access to target networks followed by the LockBit ransomware, researchers wrote in a report published Thursday. The activity appears to represent “another evolution in Evil Corp affiliated actors’ operations,” they wrote.

“Numerous reports have highlighted the progression of linked activity including development of new ransomware families and a reduced reliance on Dridex to enable intrusions,” researchers wrote. “Despite these apparent efforts to obscure attribution, UNC2165 has notable similarities to operations publicly attributed to Evil Corp.”

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Evil Corp in December 2019 in a widespread crackdown on the dangerous and prolific cybercriminal group best known for spreading the aforementioned info-stealing Dridex malware and later its own WastedLocker ransomware.

The sanctions basically forbid any U.S. entity from doing business or being associated with Evil Corp, effectively preventing ransomware negotiation firms from facilitating ransom payments for the group–obviously limiting its ability to profit from criminal activity.

Shapeshifting Cybercriminals

Evil Corp took a brief hiatus after the sanctions and a subsequent indictment of its leaders, but since has cloaked itself through clever rebranding to continue its nefarious activity.

Indeed, its latest pivot is not the first time the group used a different identity to try to skirt sanctions against it. About a year ago, Evil Corp tried to mask itself by using previously unknown ransomware called PayloadBin, which researchers determined was likely a rebrand of its own ransomware, WastedLocker, according to reports.

Before that the group resurfaced briefly soon after the OFAC sanctions were levied with new tactics to try to hide its activity, leveraging the oft-used threat tool HTML redirectors–or code that uses meta refresh tags to redirect users to another website–to drop payloads through malicious Excel files.

Most Recent Incarnation

The latest activity from Evil Corp “almost exclusively” gains access to victims’ networks on the back of a group tracked as UNC1543, to which the use of FakeUpdates has been linked, according to Mandiant. In the months prior to the government’s indictments of Evil Corp, this method was used as the initial infection vector for Dridex and the BitPaymer and DoppelPaymer ransomware.

Evil Corp also is deploying other ransomware—specifically Hades–in its activity as UNC2165, researchers said. “Hades has code and functional similarities to other ransomware believed to be associated with Evil Corp-affiliated threat actors,” they said.

The use of other ransomware is indeed a “natural evolution” for this emerging criminal group to distance itself from Evil Corp, researchers said.

However, LockBit more than Hades especially is a natural fit because of its RaaS model and rise to prominence in recent years, they said. Indeed, LockBit has taken down some big-name targets in its own right, such as Accenture and Bangkok Air, in the last year.

“Using this RaaS would allow UNC2165 to blend in with other affiliates,” researchers wrote. “Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice.”

The Move Makes Sense

Since ransomware operators see their operations as any other business leaders would, it makes sense that they also have to evolve with the times to stay ahead in the market and maintain profit just like anyone else, noted a security professional.

“For cybercriminals, it’s a similar concept,” observed James McQuiggan, security awareness advocate at security firm KnowBe4, said in an email to Threatpost. “They need to continually develop their applications and encryption to avoid detection and make money via extortion using various methods.”

Given this perspective, it’s not surprising that Evil Corp is leveraging other ransomware to continue to stay relevant and, more importantly, get paid, he said. And with Evil Corp cloaking itself in the  activity of other ransomware groups, targets likely will pay an extortion fee, as they would not be aware of the government sanctions against the true perpetrators of the crime, McQuiggan said.