A new malware has been discovered, posing as PayloadBIN, which is actually a rebranded ransomware used by the Evil Corp group. It is used by the group to bypass sanctions imposed by the Department of Treasury’s Office of Foreign Assets Control (OFAC) based in the U.S.

What has happened?

After being sanctioned by the U.S. government in 2019, Evil Corp started rebranding its ransomware operations to different names (Hades, Phoenix, and WastedLocker) to avoid these sanctions.
  • Earlier, the group targeted the Metropolitan Police Department in Washington, DC, and then it impersonated the Babuk group and claimed to be quitting ransomware encryption and focusing on data theft.
  • In late May, the Babuk data leak site had a refreshed design where the ransomware gang rebranded itself as a new group called payload bin (a rebranded version of WastedLocker).
  • This rebranded version of Wastedloacker appends the .PAYLOADBIN extension to encrypted files. It is clearly an attempt made by Evil Corp to fool victims into violating OFAC regulations.
  • Furthermore, a ransom note (PAYLOADBIN-README[.]txt) is displayed after infection, which mentions that the targeted networks of victims are locked with PayloadBIN ransomware.

Recent attacks by Evil Corp

The group is actively rebranding its ransomware operations and has successfully targeted several organizations lately. 


Even after the recent rebranding efforts made by Evil Corp, the ransomware is now linked back to it. This implies that most of the ransomware negotiation firms are likely to avoid any sort of help in facilitating payments for victims targeted by the PayloadBIN ransomware. Moreover, such threat groups can not be taken lightly, and therefore, organizations should always avoid paying any ransom to them.
Cyware Publisher