Evil Corp's 'WastedLocker' Campaign Demands Big RansomsResearchers: Cybercrime Group, Formerly Known for Dridex, Is Not Exfiltrating Data
The Evil Corp cybercrime group, originally known for its use of the Dridex banking Trojan, is now using new ransomware called WastedLocker, demanding ransom payments of $500,000 to $1 million, according to security researchers at NCC Group's Fox-IT.
So far, less than a dozen victims have been targeted by the campaign, Fox-IT says, but its new research report does not specify if any ransoms have been paid.
Evil Corp has been operating since 2011 and is believed to be based in Russia. It recently shifted to the newly created WastedLocker malware with a campaign mainly targeting businesses through phishing attacks that use the SocGholish fake update framework, which is being distributed through a custom Cobalt Strike loader, Fox-IT reports. In each attack, the malware goes after file servers, database services, virtual machines and cloud environments in an effort to cancel a victim's ability to rebuild their system from backups, thus forcing them to pay the ransom.
The new malware and delivery platform was first spotted in May.
Late last year, two members of the cybercrime group were indicted by the U.S. Justice Department (see: Two Russians Indicted Over $100M Dridex Malware Thefts). The group formerly had been operating the Dridex banking Trojan for information stealing and to install BitPaymer ransomware in North America and Western Europe, the Fox-IT researchers note.
The introduction of WastedLocker coincided with Evil Corp changing a number of its techniques, tactics and procedures. Fox-IT believes these adjustments were due to the unsealing of indictments against team members Igor Olegovich Turashev and Maksim Viktorovich Yakubets and the announcement of financial sanctions against Evil Corp in December 2019.
Evil Corp is sometimes incorrectly associated with the advanced persistent threat group TA505, Fox-IT notes.
Old School Tactics
At a time when many ransomware gangs, including Maze, have been exfiltrating data and demanding payment under the threat of publishing it, WastedLocker is a bit of a throwback. It only encrypts data and does not exfiltrate it, the researchers note (see: Ransomware Gangs Go (Lady) Gaga for Data Breaches).
"We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public," the Fox-IT researchers write.
Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, has a different theory. He believes Evil Corp is basing its strategy on basic business principles.
"This makes sense from the cybercriminal’s perspective. In many cases they are successfully able to find and delete a company’s backups before running their ransomware," Clements says, "Then they know they’ve got you. The victim has to do a calculation on if their operations are worth more than the ransom demand. Often times the answer is 'yes’."
Erich Kron, security awareness advocate at KnowBe4, says skipping data exfiltration simplifies matters for Evil Corp because it doesn’t have to deal with storing the stolen information.
"Their price tags are big enough that we can assume they will be happy with getting just a few victims to pay up,” Kron says. “They do seem to have a pretty good plan that covers how to make that happen by targeting specific types of servers and looking for backups wherever they can find them. Once ransomware encrypts your backups, your choices become very limited as to how to proceed."
To defend against Evil Corp and WastedLocker, organizations need to ensure they have backups either offsite or in a location that is not network accessible, Kron says.
How WastedLocker Works
Once downloaded onto a network, the new WastedLocker malware searches for and targets the system's removable, fixed, shared and remote drives to help minimize the chances that the victim can recover through backups.
"Once a drive is found, the ransomware starts searching for and encrypting files. Each file is encrypted using the AES algorithm with a newly generated AES key and IV (256-bit in CBC mode) for each file,” according to the Fox-IT report. “The AES key and IV are encrypted with an embedded public RSA key (4096 bits). The RSA encrypted output of key material is converted to base64 and then stored into the ransom note.”
For each encrypted file, the attackers create a separate file that contains the ransomware note. It then appends the encrypted file's extension with an abbreviation of the target’s name and the word “wasted.”
Fox-IT researchers found a decryptor in the code, but it requires admin level privileges to operate.