The Evil Corp Russian hacker group has reportedly changed its attack tactics to avoid sanctions placed on US companies prohibiting them from paying it a ransom.
Mandiant, the threat intelligence firm, reported the shift. The firm recently wrote a blog post linking a series of Lockbit ransomware intrusions to UNC2165, a threat cluster that shares numerous overlaps with Evil Corp.
In 2019, the US Treasury Department put sanctions on UNC2165 for using the Dridex malware to infect hundreds of financial institutions and banks across 40 countries and stealing in excess of $10 million.
These sanctions prevented targeted organisations from paying a ransom to UNC2165 in order to restore access to their systems, from a regulatory standpoint.
Mandiant wrote, “these sanctions have had a direct impact on threat actor operations, particularly as at least some companies involved in ransomware remediation activities, such as negotiation, refuse to facilitate payments to known sanctioned entities.”
“This can ultimately reduce threat actors’ ability to be paid by victims, which is the primary driver of ransomware operations.”
Over the past couple of years, UNC2165/Evil Corp have changed tactics to hide evidence of their involvement and, in turn, make compromised firms more likely to pay the ransom. They switched from WastedLocker to the Hades ransomware.
According to Mandiant, from 2021, the group would have changed their targeting approach once again and started utilising Lockbit, a ransomware-as-a-service (RaaS).
“The adoption of an existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp,” wrote Mandiant.
“Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware.”
In the conclusion of their post Mandiant suggested that the actors behind UNC2165 operations may continue to take further steps to distance themselves from the Evil Corp name going forward.
“We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims.”