Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Evil by a Different Name: Crime Gang Rebrands RansomwareWastedLocker Ransomware From Evil Corp Disguised as PayloadBin to Avoid Sanctions
If you're a high-earning Russian cybercrime gang, but feeling the heat after being sanctioned by the U.S. government, why not rebrand?
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
So goes an apparent move by the notorious Evil Corp to co-opt the name of a rival gang's ransomware, as Bleeping Computer first reported.
"The 'rebranding' move is likely 'an attempt to trick victims into violating OFAC regulations.'"
Security experts have been tracking how Evil Corp, which the U.S. Treasury Department’s Office of Foreign Assets Control sanctioned in December 2019, continues to evolve.
Recently, Evil Corp appears to have rebranded its WastedLocker ransomware - aka PhoenixLocker and Hades - as PayloadBin, which is run by a different gang called Babuk, says Fabian Wosar, CTO of security firm Emsisoft. But the executable being used by Evil Corp is still a version of WastedLocker, Wosar says.
Accordingly, the "rebranding" move is likely "an attempt to trick victims into violating OFAC regulations," he says.
Looks like EvilCorp is trying to pass off as Babuk this time. As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations. Sample: https://t.co/k669bbaNyV— Fabian Wosar (@fwosar) June 5, 2021
The move follows the Babuk gang in May announcing the development of a dedicated data leak site, which it recently debuted under the name Payload.bin, according to the MalwareHunterTeam group of researchers.
The Rise of Evil Corp
One surprise with Evil Corp is the operation's longevity. The crime gang began life in 2011, with ties to the Zeus banking Trojan operation, and later developed its own banking malware called Dridex.
The FBI says Dridex was used to steal more than $100 million from hundreds of banks across 40 countries. Subsequently, the malware was also being used as a loader, to install BitPaymer ransomware on victims' systems.
In December 2019, a U.S. grand jury indicted two Russian nationals - Maksim Yakubets and Igor Turashev - for allegedly running Evil Corp.
After having helped launder money and assist the GameOver/Zeus botnet and malware operation, Yakubets was serving "as Evil Corp's leader and is response for managing the group's malicious cyber activities," the Treasury Department said at the time. Announcing a $5 million reward for information leading to his capture, it added that since at least 2017, Yukabets had been working for Russia's Federal Security Service, known as the FSB, which it had previously sanctioned for attacks against U.S. targets.
Turashev, meanwhile, allegedly "was involved in helping Evil Corp exploit victims’ networks," including running the Dridex malware operation, the Treasury Department said.
Both men remain at large.
By June 2020, Evil Corp appeared to have retooled, debuting new crypto-locking malware called WastedLocker, which was demanding ransom payments of $500,000 to $1 million per infection. At least at that time, security experts said the operation - unlike most other ransomware gangs - wasn't stealing and leaking data to try and force victims to pay. In the following months, the gang racked up a number of victims, including publicly traded companies and newspapers.
But since 2019, any WastedLocker victims who pay Evil Corp any ransom money do so at their OFAC-violating peril.
In October 2020, the Treasury Department issued a reminder that any organization or individual, anywhere in the world, who paid a ransom to Evil Corp would be violating OFAC sanctions. While officials didn't say what action they might take against sanctions-breakers, the warning was clear: Pay sanctioned criminals, and the U.S. government will come after you.
Experts say that all reputable insurers, incident response firms and ransomware negotiators will not engage with any individual or organization on the OFAC sanctions list, for example, to negotiate ransom payments in return for the promise of a decryption key or pledge to delete stolen data.
In November 2020, for example, ransomware incident response firm Coveware said that it had blacklisted the DarkSide ransomware operation, placing it on a list of gangs with which it would not engage, after DarkSide said it would be using servers based in Iran to make its infrastructure more difficult for Western law enforcement agencies to disrupt. But by contracting with Iranian entities, DarkSide itself would be violating OFAC sanctions.
DarkSide responded with a furious-sounding press release, alleging that it did not use any Iranian services.
Apparently, business continued relatively unimpeded for the group, at least until it received $4.4 million from East Coast fuel supplier Colonial Pipeline Co. In the wake of the political fallout from that attack, the group suggested it might curtail its operations, with experts predicting the ransomware-as-a-service operation would soon resurface under a different name (see: Ransomware Gangs 'Playing Games' With Victims and Public).
As the White House moves to more forcefully disrupt ransomware operations and deter ransomware gang members from making a profit, it's a fair bet that whoever is running DarkSide - among other crime gangs - may soon be outed and join Evil Corp on the list of sanctioned entities and individuals.
To try and avoid U.S. sanctions deterring victims from paying them, these gangs will have to do a lot more than just rename their malware.