Evil Corp is Back With New TTPs, Deploys New WastedLocker Ransomware

New TTPs of Evil Corp group

• Recently, Fox-IT researchers found the ransomware, named WastedLocker, that has code similarities with BitPaymer. They also found that the WastedLocker ransomware has been exclusively deployed against US companies since May 2020.
• The Evil Corp gang deployed the ransomware on file servers, database services, virtual machines, and cloud environments. For file encryption, the ransomware targets fixed, removable, shared, and remote drives, while ignoring smaller files as well as any blacklisted directories or extensions.
• The group abused the Cobalt Strike threat emulation software and its Beacon implant for a lateral movement activity. The payload is embedded in two types of PowerShell scripts and, in certain cases, is delivering it via a custom loader.

BitPaymer infections era

• In January 2020, the cybercriminal group TA505 launched phishing campaigns to leverage attachments with HTML redirectors in order to deliver Excel documents containing malware like BitPaymer and others.
• In November 2019, attackers exploited the Bluekeep vulnerability to deploy Bitpaymer ransomware payload, targeting several organizations in Spain, including Everis and SER.
• In October 2019, Gillian Franklin owned cosmetics business ‘The Heat Group’ was hit by BitPaymer ransomware, demanding payment of the equivalent of $40,000 in Bitcoin.
• Between 2017 to 2019, Evil Corp used Dridex infections almost exclusively for targeted ransomware campaigns by deploying BitPaymer.

Stay safe