Russian hacking gang Evil Corp shifts its extortion strategy after sanctions

Evil Corp is believed to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than US$100mil (RM438.65mil) from companies across 40 countries, according to the US government. — Dreamstime/TNS

A notorious Russian cybercrime group has updated its attack methods in response to sanctions that prohibit US companies from paying it a ransom, according to cybersecurity researchers.

The security firm Mandiant said on June 1 it believes that the Evil Corp gang is now using a well-known ransomware tool named Lockbit. Evil Corp has shifted to using Lockbit, a form of ransomware used by numerous cybercrime groups, rather than its own brand of malicious software to hide evidence of the gang’s involvement so that compromised organisations are more likely to pay an extortion fee, researchers said.

The US Treasury Department in 2019 sanctioned the alleged leaders of the Evil Corp gang, creating legal liabilities for American companies that knowingly send ransom funds to the hackers. While cybersecurity firms have associated Evil Corp with two kinds of malware strains, known as Dridex and Hades, the group’s use of LockBit could cause hacked organisations to believe that another hacking group, other than Evil Corp, was behind the breach.

Evil Corp is believed to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than US$100mil (RM438.65mil) from companies across 40 countries, according to the US government.

Alleged members are on the wanted lists of law enforcement across the US, UK and Europe, including accused mastermind Maksim Yakubets, who the Treasury Department said previously worked for Russia’s Federal Security Service. The 35-year-old Russian man is reported to own a tiger and drive a personalised Lamborghini with a license plate that translates to say “thief”, according to the UK’s National Crime Agency.

The US has increasingly used sanctions to try to curb cybercriminal operations, including prohibiting American organisations from paying ransom fees to known groups like Evil Corp and cryptocurrency exchanges which are often used to funnel ransom payments.

Evil Corp’s alleged reliance on off-the-shelf software also suggests that sanctions may not be enough to deter the group from extorting money from businesses in the US and around the world, according to Kimberly Goody, director of cybercrime analysis at Mandiant.

“This shows us that sanctions can be effective in changing actor behaviour, such as pushing people to other services, but not always at fully curtailing operations due to the availability of cybercrime tools and services in underground communities,” she said.

A US Treasury spokesperson said it had become aware of such obfuscation attempts, adding that government officials regularly highlight to industry the importance of reporting attacks to so that law enforcement can connect the dots and try to identify the perpetrators.

Ransomware attacks typically work by infecting a target’s computer by tricking an individual to click on a malicious link while using a corporate device, which in turn infects the organisation’s network. Once hackers have access to this network or critical files and systems, they will encrypt the data, rendering it inaccessible. The targets are told they can pay a ransom, typically in cryptocurrency, to receive a decryption key and gain access to their systems.

Alphabet Inc’s Google announced in March it has agreed to purchase Mandiant for US$5.4bil (RM23.68bil). – Bloomberg

Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Ransomware , Russia


Next In Tech News

Bank of England proposes new checks on banks' reliance on tech companies
Kenya judge finds Meta is not in contempt of court
Toshiba to invest in Rohm's new power chip plant in Japan's Miyazaki -sources
Man in S’pore who took upskirt videos of his friend’s girlfriend on at least 20 occasions gets jail
Kidnapped US teen reached out for help three times before being rescued from attacker in Tennessee
Warehouse workers face new competition: A humanlike robot
US police use facial ID tech to find man accused of prolific identity theft scam
Amazon’s internal plans to advance its interests in California are laid bare in leaked memo
McDonald’s turns to Google for AI chatbot to help�restaurant workers
Man ‘swats’ his ex-girlfriend’s home as revenge for ‘failed’ Internet relationship, US cops say

Others Also Read