Cybercriminals often keep looking for technical innovation to bypass security barriers to reach their targets. However, the Evil Corp cybercrime group has been observed using tactical ways to bypass the sanctions put by federal agencies. Recently, the group started using different ransomware to evade sanctions imposed by the Office of Foreign Assets Control (OFAC).
What has happened?
CrowdStrike has identified a connection between Evil Corp and Hades ransomware based on code overlap.
- Hades shares some major functionality with WastedLocker, such as the ISFB, inspired static configuration, multi-staged persistence, installation process, and others.
- In addition, Evil Corp is observed to be using a new tactic - the departure of email for communication. Furthermore, it is more focused on exfiltrating data from victims to draw out payments.
- This new malware is helping Evil Corp bypass sanctions that prevent victim organizations from making ransom payments.
A brief history
In December 2019, the members of Evil Corp were charged and sanctioned by OFAC for using Dridex to cause over $100 million in financial damages.
- In October 2020, the OFAC warned that organizations helping ransomware victims in making ransom payments to sanctioned threat actors will face risks as their actions could break regulations.
- From June 2020, Evil Corp changed its tactics to avoid the sanctions by deploying WastedLocker ransomware. At that time, Garmin was one of the high-profile targets of ransomware.
Recent attacks using Hades ransomware
Evil Corp has been actively using the Hades ransomware for quite some time, and it has targeted multiple organizations based in the U.S.
- Recently, the Hades ransomware as part of an ongoing campaign that targeted three U.S.-based companies.
- A few months ago, it had targeted a trucking giant, later identified as Forward Air.
The use of WastedLocker and further technical improvements in the Hades ransomware indicate that Evil Corp is desperately looking for ways to amplify its attacks. This is not just limited to bypass the sanctions imposed upon them, it is further strengthening their tools to make them deadlier weapons than before. Therefore security professionals and agencies need to keep a sharp eye on this threat.