Home Internet Security New Evil Corp ransomware mimicks PayloadBin gang to evade US sanctions

New Evil Corp ransomware mimicks PayloadBin gang to evade US sanctions



The brand new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US Treasury Division’s Workplace of International Property Management (OFAC).

The Evil Corp gang, often known as Indrik Spider and the Dridex gang, began as an affiliate for the ZeuS botnet. Over time, they fashioned a bunch that centered on distributing the banking trojan and downloader referred to as Dridex by way of phishing emails.

As cybergangs began to transition to extremely worthwhile ransomware assaults, Evil Corp launched a ransomware operation referred to as BitPaymer, which was delivered by way of the Dridex malware in compromised company networks.

After being sanctioned by the US government in 2019, ransomware negotiation corporations refused to facilitate ransom funds for Evil Corp ransomware assaults to keep away from going through fines or authorized motion from the Treasury Division.

Evil Corp started renaming their ransomware operations to completely different names resembling WastedLockerHades, and Phoenix to bypass these sanctions. 

The menace actors used Phoenix in an attack on insurance firm CNA.

Evil Corp impersonates Payload Bin hacking group

After breaching the Metropolitan Police Department in Washington, DC, and stealing unencrypted information, the Babuk gang said they were quitting ransomware encryption and as a substitute focus on information theft and extortion.

On the finish of Might, the Babuk information leak web site had a design refresh the place the ransomware gang rebranded as a brand new group referred to as ‘payload bin,’ proven beneath.

On Thursday, BleepingComputer discovered a brand new ransomware pattern referred to as PayloadBIN [VirusTotal] that we instantly assumed was associated to the rebranding of Babuk Locker.

When put in, the ransomware will append the .PAYLOADBIN extension to encrypted recordsdata, as proven beneath.

Files encrypted by PayloadBIN
Information encrypted by PayloadBIN

Moreover, the ransom notice is known as ‘PAYLOADBIN-README.txt‘ and states that the sufferer’s “networks is LOCKED with PAYLOADBIN ransomware.”

PayloadBIN ransom note
PayloadBIN ransom notice

After discovering the pattern, BleepingComputer thought Babuk was mendacity about their intentions to maneuver away from ransomware and rebranded to a brand new title.

Nevertheless, after analyzing the brand new ransomware, each Fabian Wosar of Emsisoft and Michael Gillespie of ID Ransomware confirmed that the ransomware is a rebranding of Evil Corp’s earlier ransomware operations.

Whereas discussing why they’d have impersonated one other cybercrime group, Wosar felt that they noticed and took a possibility to impersonate a hacking group that isn’t sanctioned.

“Now that they had a gang rebranding and simply took the chance.” – Fabian Wosar.

Because the ransomware is now attributed to a sanctioned hacking group, most ransomware negotiation corporations will possible not assist facilitate funds for victims affected by the PayloadBIN ransomware.

Source link