Evil Corp is Back With New TTPs, Deploys New WastedLocker Ransomware

The ransomware market has begun shifting targets from home consumers to enterprise targets. The Evil Corp gang has adapted this strategy as well, by shifting its focus from home-based targets to corporate targets, and by adopting some new tactics.

New TTPs of Evil Corp group

The Evil Corp gang, which is active since 2007, has replaced the custom-built BitPaymer variant with a totally new ransomware strain, written from scratch.
  • Recently, Fox-IT researchers found the ransomware, named WastedLocker, that has code similarities with BitPaymer. They also found that the WastedLocker ransomware has been exclusively deployed against US companies since May 2020.
  • The Evil Corp gang deployed the ransomware on file servers, database services, virtual machines, and cloud environments. For file encryption, the ransomware targets fixed, removable, shared, and remote drives, while ignoring smaller files as well as any blacklisted directories or extensions.
  • The group abused the Cobalt Strike threat emulation software and its Beacon implant for a lateral movement activity. The payload is embedded in two types of PowerShell scripts and, in certain cases, is delivering it via a custom loader.

BitPaymer infections era

Several attackers have deployed BitPaymer in combination with other malware on large enterprise targets. 
  • In January 2020, the cybercriminal group TA505 launched phishing campaigns to leverage attachments with HTML redirectors in order to deliver Excel documents containing malware like BitPaymer and others.
  • In November 2019, attackers exploited the Bluekeep vulnerability to deploy Bitpaymer ransomware payload, targeting several organizations in Spain, including Everis and SER.
  • In October 2019, Gillian Franklin owned cosmetics business ‘The Heat Group’ was hit by BitPaymer ransomware, demanding payment of the equivalent of $40,000 in Bitcoin.
  • Between 2017 to 2019, Evil Corp used Dridex infections almost exclusively for targeted ransomware campaigns by deploying BitPaymer.

Stay safe

Users should properly configure firewalls, and use a reputable anti-malware suite. Pay close attention when browsing the Internet. Keep installed programs updated and use security patches, features, or tools provided by official developers wherever possible to mitigate known vulnerabilities.