Sanctions that the US government imposed on Russia-based crimeware gang Evil Corp in 2019 appear to have forced the threat actor to change tactics to remain in the cybercrime business.

New research into the group's activity by Mandiant shows that after the sanctions were put in place — after the group caused more than $100 million in losses to banks and other financial institutions by stealing sensitive information — Evil Corp switched to using ransomware in an apparent effort to obscure attribution. 

Moving on from using Dridex, its own exclusive (and easily fingerprinted) malware, Evil Corp actors have been observed deploying ransomware families used by multiple threat groups, such as Hades, WastedLocker, PhoenixLocker, and most recently LockBit, a ransomware-as-a-service option.

US regulations prohibit organizations — including ransomware victims and negotiators — from conducting any kind of financial transactions with organizations and entities on the US Treasury Department's Office of Foreign Assets Control (OFAC) sanctions list.

"[US] sanctions have had a direct impact on threat actor operations, particularly as at least some companies involved in ransomware remediation activities, such as negotiation, refuse to facilitate payments to known sanctioned entities," Mandiant says in its report. "This can ultimately reduce threat actors' ability to be paid by victims, which is the primary driver of ransomware operations."

That means US ransomware victims need to pay closer attention to whom they are dealing with, says Jeremy Kennelly, senior manager of financial crime analysis at Mandiant Threat Intelligence.

"When dealing with a ransomware intrusion, the particular malware being deployed, or the branding on ransom notes, or shaming websites may be insufficient to determine whether the beneficiary of payments has affiliations with Evil Corp, a sanctioned entity," he says.

Sanctions Crunch

OFAC sanctioned Evil Corp and two members associated with the group for stealing more than $100 million from financial institutions in 40 countries using credentials harvested with the Dridex malware tool.

Around the time the sanctions were imposed, Evil Corp had begun renting out Dridex for use by affiliate gangs. It also had begun making its own foray into the ransomware space, initially with BitPaymer ransomware and later with DopplePaymer and WastedLocker in 2019. 

In 2020 Evil Corp. targeted more than two-dozen US organizations with ransomware, including several Fortune 500 companies in a massive WastedLocker campaign. Months after the sanctions went into effect, the threat actor stopped using WastedLocker and soon after switched to a variety of other tools, such as Hades and most recently LockBit — a ransomware-as-a service tool that gives the threat actor an opportunity to blend in with other actors.

UNC2165: Another Evolution of Evil Corp.

Mandiant says since 2019 it has investigated multiple LockBit ransomware intrusions carried out by a group that the vendor is currently tracking as UNC2165. According to Mandiant, UNC2165 has a lot of overlap with Evil Corp and is most likely an actor closely affiliated with it. For instance, in all the intrusions that Mandiant investigated, UNC2165 obtained access to the victim network via UNC1543, a financially motivated threat group that distributes FakeUpdates, a multistage JavaScript dropper for distributing malware. FakeUpdates was also the infection chain for deploying Dridex that later resulted in BitPaymer and DopplePaymer ransomware infections.

Similarly, the Hades ransomware family that Mandiant observed UNC2165 deploying had multiple code similarities to other ransomware tools tied to Evil Corp. Several of the command-and-control servers that UNC2165 has been observed using have also been linked to Evil Corp infrastructure, Mandiant says.

"The operational relationship between UNC2165 and the broader Evil Corp group is not fully understood," Kennelly says. "Mandiant has observed UNC2165 deploying Hades ransomware and operating Hades-related infrastructure. Furthermore, multiple public reports related to the deployment of other ransomware families commonly attributed to Evil Corp have involved use of infrastructure Mandiant attributes to UNC2165."

Kennelly says it's unclear what impact Mandiant's report tying an Evil Corp-related actor to LockBit will have in the ransomware space. 

"The impact this disclosure will have on ransomware negotiators is difficult to predict," he says. "LockBit may quickly move to distance themselves from affiliates with ties to Evil Corp, or deny the allegations wholesale," he says.

Furthermore, UNC2165 has shifted their operations multiple times over the past years, and this may ultimately lead to them to again adopt an updated toolkit if ransomware negotiators halt work on LockBit cases, he notes.