The financially-motivated threat cluster, Evil Corp aka UNC2165, has again updated its attack methods in response to sanctions prohibiting U.S. companies from paying a ransom. According to the latest report from Mandiant, the gang is now using a well-known ransomware tool, named LockBit. 


  • In 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued a sanction against 17 individuals and seven entities of Evil Corp cyber operations for causing financial losses of more than $100 million with the Dridex malware. 
  • After the indictments, the global intelligence community was split into different camps as to how Evil Corp was operating.
  • While some assessed that the group had stopped its operations following the sanctions, others had theories that the group had voluntarily shifted its operations to another trusted partner.
  • Since then, the gang has been impersonating a number of ransomware variants including BitPaymer, DoppelPaymer, WastedLocker, Hades, and most recently, the PayloadBIN ransomware.

New updates

  • As Mandiant threat analysts have recently observed, the cybercrime gang has made another attempt to distance itself from violating OFAC regulations by deploying LockBit ransomware. 
  • Researchers claim that the widespread use of LockBit by several different threat actors over the past few years makes it an attractive choice for attackers. The RaaS has been advertised in underground forums since 2020 and has a prominent affiliate program. 
  • Additionally, another reason for Evil Corp shifting to LockBit is attributed to the way the RaaS easily blends in with other affiliates. 
  • This would allow the affiliates to invest more time in developing new ransomware strains, which can broaden the gang’s ransomware deployment operations. 


The changing trends and tactics demonstrated by Evil Corp highlight the evolving approach of threat actors to bypass sanctions and stay under the radar. Researchers believe that UNC2165 will continue to take additional steps to distance itself from the Evil Corp name. For example, the threat actors could abandon the use of fake updates to deliver malware. 
Cyware Publisher