The U.S. government had issued sanctions against the Evil Corp group, restricting victims from paying the ransom to the gang. However, the group is now believed to be identifying itself as REvil to avoid these sanctions.

What has happened?

A malware analyst working with Emsisoft first discovered this impersonation trick and disclosed ongoing attacks on Twitter. 
  • REvil branding was advertised at multiple stages in the attack, where the locked files were renamed with .revil extension, and the ransomware note was named revil[.]readme[.]txt. 
  • Additionally, the ransom site had a ninja logo reading REvil and the note mentioned REvil multiple times.

Tracing back to Evil Corp

Even after several attempts of rebranding as a different malware, researchers were able to associate the malware easily with Evil Corp.
  • The researcher compared the code to previous samples of PayloadBin and Hades samples and found that it perfectly overlapped.
  • Moreover, the same file formats and use of cryptocurrency further highlighted the connection between the two.

The same tactic in past

Earlier in the past, Evil Corp was observed using a similar approach of masquerading as other groups.
  • In April, the group played a similar trick and claimed to be PayloadBin (a rebranded version of Babuk).
  • Before that, the group had used other aliases such as Phoenix, WastedLocker, and Hades.


Evil Corp is continually rebranding itself to avoid sanctions. This tactic is now being adopted by other ransomware groups as well to avoid the heat from law agencies. Thus, businesses and their security teams should be equipped with the right tools to ward off ransomware threats.

Cyware Publisher