Evil Corp Shifts to LockBit to Evade Sanctions

Background

• In 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued a sanction against 17 individuals and seven entities of Evil Corp cyber operations for causing financial losses of more than $100 million with the Dridex malware. 
• After the indictments, the global intelligence community was split into different camps as to how Evil Corp was operating.
• While some assessed that the group had stopped its operations following the sanctions, others had theories that the group had voluntarily shifted its operations to another trusted partner.
• Since then, the gang has been impersonating a number of ransomware variants including BitPaymer, DoppelPaymer, WastedLocker, Hades, and most recently, the PayloadBIN ransomware.

New updates

• As Mandiant threat analysts have recently observed, the cybercrime gang has made another attempt to distance itself from violating OFAC regulations by deploying LockBit ransomware. 
• Researchers claim that the widespread use of LockBit by several different threat actors over the past few years makes it an attractive choice for attackers. The RaaS has been advertised in underground forums since 2020 and has a prominent affiliate program. 
• Additionally, another reason for Evil Corp shifting to LockBit is attributed to the way the RaaS easily blends in with other affiliates. 
• This would allow the affiliates to invest more time in developing new ransomware strains, which can broaden the gang’s ransomware deployment operations. 

Conclusion