Evil Corp Impersonates PayloadBin Group to Avoid Federal Sanctions

The cybercriminals try to pin new ransomware on Babuk Locker in an effort to fly under the radar of an ongoing FBI investigation.

The criminal group Evil Corp is trying to mask its latest activity by using previously unknown ransomware called PayloadBin, according to researchers. The move is believed to be an attempt to confuse law enforcement and avoid sanctions imposed by the U.S. federal government against entities it believes are linked to Evil Corp, according to published reports.

Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!

Evil Corp, widely associated with the info-stealing Dridex malware, has been the target of a crackdown by U.S. authorities since 2019. As part of that effort, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions against anyone or organization it believes has ties with the criminal enterprise. This action effectively prevents ransomware negotiation firms from facilitating ransom payments with Evil Corp, which limits its ability to profit from criminal activity.

When first discovered, researchers believed PayloadBin was related to a criminal group associated with use of malware called Babuk Locker, according to a published report. That’s because the Babuk crew recently announced it was hanging up its ransomware hat to switch to a new cybercriminal effort. Researchers then said the cybergang regrouped and introduced new tactics and branding, calling themselves “PayloadBin” at the end of May.

At the time, researchers thought that the Babuk crew might have changed its mind about foregoing ransomware, as the PayloadBin sample presented itself as ransomware that encrypted files and left a ransom note.

However, upon further inspection, researchers identified the malware as the work of Evil Corp based on previous ransomware operations of that group, according to the report, which was corroborated by security researcher Fabian Wosar on Twitter.

“Looks like EvilCorp is trying to pass off as Babuk this time,” Wosar tweeted. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations.”

Shapeshifting Cybercriminals

The move is not the first time Evil Corp has tried to obscure its activity by changing the names of its ransomware operations. The group is originally known for distributing the Zeus malware and then the Dridex banking trojan, the latter of which allowed the group allegedly to steal millions of dollars from a combination of capturing banking credentials and then making unauthorized transfers from the compromised accounts.

The U.S. government caught wind of the group’s activities and made them a target of a major investigation in 2019, even offering up $5 million for information leading to the arrest of Evil Corp leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua” and is known for leading a lavish lifestyle. The OFAC’s sanctions were a part of this operation.

Evil Group went on a brief hiatus and then returned at the end of January 2020 using a new infostealer, the GraceWire trojan, most likely to evade the feds.

In later attacks—one against GPS tech specialist Garmin in August 2020 and one against insurance giant CNA in March of this year—Evil Corp was seen delivering ransomware with different names, again in what researchers believe was an effort to fly under the radar of federal detection.

The group employed ransomware called WastedLocker against Garmin; the company may have paid more than $10 million for the decryption key after that attack, according to reports. In the CNA incident, Evil Corp’s weapon of choice was ransomware called Phoenix Cryptolocker, which researchers identified as the work of the group because of its similarities to WastedLocker.

Now that researchers have blown the lid off the group’s connection to PayloadBin, it’s unlikely that anyone will help an organization targeted by the ransomware to negotiate payment to Evil Corp for any decryption efforts, they said.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles