Evil Corp is a cybercrime gang notorious for its prolific malware-based hacking schemes leading to payments exceeding $100 million from various financial institutions and other businesses. The ransomware gang’s level of notoriety is such that the U.S. government issued sanctions against it, charged two members with criminal violations, and announced a $5 million reward for information leading to its leader’s capture or conviction.

The shape-shifting nature of Evil Corp in recent years has seen the gang’s members and affiliated operations deploy a number of different ransomware strains and tactics making it difficult to attribute their involvement in the cyber attacks. This article analyzes Evil Corp’s operations and ransomware deployments to help identify patterns and avoid attacks.

Evil Corp Early Operations: Indrik Spider and Dridex

In June 2014, the security intelligence community began noticing a prolific cybercrime group successfully hacking financial institutions using Dridex, which is a custom banking trojan that steals credentials on Windows machines. Convincing phishing emails were the primary method of delivery for many Dridex attacks. The Russian-based group dubbed itself Indrik Spider, although it has since been referred to by several different names, including Evil Corp and UNC2165.

Dridex received several updates per year from 2014 through 2016, including code obfuscation techniques that made it harder to analyze the malware’s features and functionality. 2017 saw a marked slowdown in high-volume email spam campaigns using Dridex. This change represented a fundamental shift in Evil Corp’s operations toward using targeted, high-profit ransomware attacks.

Evil Corp’s Ransomware Evolution

The operational switch to ransomware in 2017 coincided with several high-profile ransomware attacks globally that signaled a widespread shift in cybercriminals’ tactics. An attack on the UK’s National Health Service saw the emergence of a ransomware variant known as BitPaymer. Security researchers noted that BitPaymer’s anti-analysis features overlapped with Dridex, and a more in-depth technical analysis attributed the development of BitPaymer to Evil Corp threat actors.

Early Evil Corp ransomware attacks used fake software updates to gain initial access to systems and PowerShell Empire to move laterally. Using PowerShell Empire, both Dridex and BitPaymer were loaded onto target infrastructures. Dridex was used for reconnaissance to help identify target systems for encryption. Afterward, the BitPaymer payload was used to encrypt targeted critical systems either using batch scripts or direct installation via PowerShell Empire.

Evil Corp's Shape-Shifting Ransomware Operations

The US Treasury’s sanctions in December 2019 identified key indicators of Evil Corp’s attacks, including the use of Dridex, PowerShell Empire, and BitPaymer. These sanctions made it illegal for affected organizations to pay a ransom to Evil Corp’s threat actors in the aftermath of any successful ransomware attack.

The increased spotlight and identifiable markers of Evil Corp attacks led to operational changes intended to throw researchers and law enforcement off the gang’s scent. Key alterations in tactics, techniques, and procedures (TTPs) included the use of Cobalt Strike instead of Powershell Empire for lateral movement, a move away from Dridex, and the use of the SocGholish framework for initial access via fake software updates.

Most notably, however, was the use of multiple ransomware strains within a two-year period. The gang moved away from BitPaymer and began using a new strain known as WastedLocker for several months in 2020.

After the security intelligence community quickly noted similarities to Dridex and BitPaymer, the gang then developed the Hades ransomware strain in December 2020. However, additional research uncovered the fact that both Hades and WastedLocker shared the same codebase and used the exact same RSA encryption routines.

Further variants emerged, including Hades PhoenixLocker and Hades PayloadBin, but consistent similarities revealed that most of these were just rebrands of Hades with no notable changes. Another rebrand in 2021 saw the emergence of Macaw Locker, a new strain that researchers were once again able to trace to Evil Corp actors.

From Custom Ransomware to RaaS

After investing a lot of effort to evade detection by developing ransomware variants, the gang’s actors apparently moved away from custom strains and adopted the popular ransomware-as-a-service (RaaS) model. A RaaS model is when a group of people develop their own ransomware strain and make it available to other threat groups (affiliates) to use in attacks. Often, the gang running a RaaS operation steers clear of conducting any cyber attacks and instead profits from either a subscription fee paid by affiliates or a share of any profits extorted in a given attack.

A news story broke in June 2022 about research identifying UNC2165 attacks using Lockbit’s ransomware, which is a prolific RaaS operation with multiple affiliate threat groups. UNC2165 is the name given to a threat group believed to have emerged from Evil Corp.

The switch to RaaS makes sense on paper for Evil Corp actors looking to obscure the signals of their attacks. The RaaS model means that many different gangs will be using these strains across various attacks, which makes it more challenging to identify Evil Corp as the actors instigating them. Accurate attribution of Evil Corp ransomware attacks would therefore require researchers to spot distinct indicators at earlier phases of the attack cycle.

In a dramatic twist to the story, though, the threat actors behind the Lockbit RaaS operation distanced themselves from Evil Corp in a PR stunt. Lockbit claimed to have hacked Mandiant, the cybersecurity company that published the initial research alleging Evil Corp was now a Lockbit affiliate.

After claiming to have stolen thousands of Mandiant files, Lockbit released files on its data leak site. The files didn’t contain any of Mandiant’s data. Instead, a response to Mandiant’s research appeared. In the statement, Lockbit operators said, “our group has nothing to do with Evil Corp…we have nothing to do with politics or special services like FSB, FBI, and so on.”

This PR stunt clearly indicates a desperate attempt from Lockbit to deflect any association with Evil Corp because of the implications and potential monetary losses from further sanctions. The public profile of Evil Corp is such that other cybercrime gangs don’t want to be seen having any association with it.

What’s Next for Evil Corp?

When other ransomware gangs reach a certain level of notoriety, they often disband or get broken up by collaborative law enforcement stings. What makes Evil Corp unique is the fluid nature and longevity of its operations. The alleged recent switch to RaaS makes sense to help avoid attribution for attacks and remain profitable.

But there are other indicators of Evil Corp activity that will most likely lead to adjustments in tactics at earlier phases of attacks. A strong indicator is the use of FakeUpdates, which is a type of malware that downloads other malicious files onto systems. End-users install FakeUpdates after being convinced they’re downloading filenames relating to known browsers and browser updates.

From a mitigation perspective, the strategies that generally apply to all other ransomware attacks can be effective in defending against Evil Corp:

• The gang has a long history of using phishing emails—prepare for a return to this initial access vector and arm your organization with advanced email security solutions.
• Evil Corp relies heavily on social engineering techniques in general—effective user security training and awareness is imperative to prevent people from visiting suspicious URLs, recognizing some obvious signs of phishing, or downloading files from untrusted sources.
• Some more recent Evil Corp attacks used stolen credentials rather than fake software updates for initial access—make sure to enable multifactor authentication on corporate applications.
• Consider using advanced anomaly-based solutions that collect data across various network points and help to flag suspicious activity and tools indicating in-progress ransomware attacks, such as Cobalt Strike beacons, malicious PowerShell activity, and other droppers or loaders.