Evil Corp sheds skin to evade US sanctions

Since its assets were targeted by the Treasury in 2019, the cybercriminal outfit appears to have been changing up its ransomware toolkit and may have even changed its name to distance itself from negative publicity.

The theory has been proposed by cybersecurity research firm Mandiant, which found that threat actors believed to be associated with Evil Corp had ditched malware tool WastedLocker the year after the US levied sanctions against it.

“There was a cessation of WastedLocker activity and the emergence of multiple closely related ransomware variants in relatively quick succession,” said Mandiant, referring to three iterations of the toolkit Hades that Evil Corp affiliates appear to have adopted between 2020 and 2021. “These developments suggested that the actors faced challenges in receiving ransom payments following their ransomware's public association with Evil Corp.”

Graph showing Evil Corp's changing use of ransomware 2017-2021

The move apparently comes in response to the increasing use by the US government of sanctions “to tackle ransomware operations [...] as well as cryptocurrency exchanges that have received illicit funds.”

Mandiant added: “These sanctions have had a direct impact on threat actor operations, particularly as at least some companies involved in ransomware remediation activities refuse to facilitate payments to known sanctioned entities. This can ultimately reduce threat actors' ability to be paid by victims.”


In further evidence that cybercriminals were anxious to dissociate themselves from the sanctioned “brand” and keen to evolve their attack capabilities, another ransomware group known as UNC2165 appears to share members with Evil Corp – suggesting that at least some members prefer to go under an alternative name nowadays.

“UNC2165 activity likely represents another evolution in Evil Corp-affiliated actors' operations,” said Mandiant. “Numerous reports have highlighted the progression of linked activity including development of new ransomware families.”

When the Treasury sanctioned Evil Corp, the Department of Justice also issued indictments “against individuals for their roles in the Bugat malware operation, updated versions of which were later called Dridex.”

But around the same time that threat actors were observed “defecting” from Evil Corp to UNC2165, a parallel shift was observed from Dridex to FakeUpdates.

“Despite these apparent efforts to obscure attribution, UNC2165 has notable similarities to operations publicly attributed to Evil Corp, including a heavy reliance on FakeUpdates to obtain initial access to victims and overlaps in their infrastructure and use of particular ransomware families,” said Mandiant.

The hydra’s many heads

Yet another “alter ego” has been observed, with SilverFish being fingered as another cluster of threat actors that share similarities with UNC2165.

“The analyzed malware administration panel is used to manage FakeUpdates infections and to distribute secondary payloads, including Beacon,” said Mandiant of a SilverFish tool it examined. “We believe that at least some of the described activity can be attributed to UNC2165, based on malware payloads and other technical artifacts.”

“In most cases, we’ve observed, UNC2165 has stolen data from its victims to use as leverage for extortion after it has deployed ransomware across an environment,” said Mandiant, adding that it “leveraged multiple Windows batch scripts during the final phases of its operations to deploy ransomware and modify systems to aid the ransomware's propagation.”

UNC2165 was also found to be increasingly using the Lockbit ransomware, made infamous by the gang of the same name that was highlighted in a recent report as the foremost of its kind in 2022.

“The adoption of an existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp,” said Mandiant. “Both the prominence of Lockbit in recent years and its successful use by several different threat clusters likely made the ransomware an attractive choice. Using this RaaS [ransomware-as-a-service] would allow UNC2165 to blend in with other affiliates [...] compared to prior operations that may have been attributable based on the use of an exclusive ransomware.”

Furthermore, borrowing ransomware would save the threat actors formerly associated with Evil Corp “development time and effort, allowing resources to be used elsewhere, such as broadening ransomware deployment.”

Mandiant added: “Its adoption could also temporarily afford the actors more time to develop a completely new ransomware from scratch, limiting the ability of security researchers to easily tie it to previous Evil Corp operations.”

More from Cybernews:

Increased privacy risk as ransom attacks rise

Leaky database exposes job seekers to phishing attacks

Mirza Asrar Baig, CTM360: “stopping threat actors early at reconnaissance makes you a challenging target”

Bank on Conti resurgence in the coming 12 months, expert warns

Failing to protect transportation systems may profoundly hurt business

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked