Cybercriminals from Evil Corp are evolving their ransomware techniques, to evade US sanctions. According to a recent study released by cybersecurity firm Mandiant, these Russia-based hackers have evolved into a RaaS (ransomware-as-a-service) model to remain anonymous.
Evil Corp and UNC2165, one and the same gang?
In December 2019, the Office of Foreign Assets Control (OFAC), a unit of the US Treasury, sanctioned Evil Corp for deploying Dridex malware. This malware would have made it possible to steal more than 100 million dollars to hundreds of banks and financial institutions. Over the past few months, cybersecurity researchers at Mandiant have observed a number of ransomware intrusions without being able to attribute it to any particular hacker group.
In support of Ukraine, the United States reveals that it has carried out cyber offensive actions
This ransomware has been dubbed UNC2165. According to the study by the company, the ransomware shares “many points in common with the techniques usually used by Evil Corp”. According to them, this probably represents an evolution of the operations of actors affiliated with Russian hackers. UNC2165 is a group of cybercriminals that Mandiant has been monitoring since 2019. The principle of the attack consists of tricking Internet users into opening an attachment, under the guise of a browser update.
The RaaS model seduces hackers
In the past, Evil Corp also used this tactic to serve as an infection vector with Dridex. The same goes for the deployment of BitPaymer and WastedLocker, two variants also used by Evil Corp. UNC2165 also deployed the Hades ransomware, whose code and features present similarities to other ransomware suspected of being associated with Evil Corp. Mandiant researchers also found similarities in infrastructure.
This isn’t the first time Evil Corp has changed tack to avoid sanctions, but this time cybersecurity researchers are finding a real change of strategy with the adoption of a RaaS model. In theory, this allows hackers to conduct their operations anonymously. The report states that “Adopting a RaaS model is a natural evolution for UNC2165 as it attempts to mask its Evil Corp affiliation. This could buy hackers time to develop new ransomware from scratch.”.
This study comes just weeks after the REvil ransomware gang (which has long been linked to activities attributed to Evil Corp) was arrested by the FSB on orders from the United States. At the beginning of the year, the FSB conducted searches at 25 addresses linked to 14 suspects belonging to REvil. This operation clearly marked the end of the reign for the notorious group of cybercriminals, specialized in ransomware attacks.