The brand new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US Treasury Division’s Workplace of International Property Management (OFAC).
The Evil Corp gang, often known as Indrik Spider and the Dridex gang, began as an affiliate for the ZeuS botnet. Over time, they fashioned a bunch that centered on distributing the banking trojan and downloader referred to as Dridex by way of phishing emails.
As cybergangs began to transition to extremely worthwhile ransomware assaults, Evil Corp launched a ransomware operation referred to as BitPaymer, which was delivered by way of the Dridex malware in compromised company networks.
After being sanctioned by the US government in 2019, ransomware negotiation corporations refused to facilitate ransom funds for Evil Corp ransomware assaults to keep away from going through fines or authorized motion from the Treasury Division.
The menace actors used Phoenix in an attack on insurance firm CNA.
Evil Corp impersonates Payload Bin hacking group
After breaching the Metropolitan Police Department in Washington, DC, and stealing unencrypted information, the Babuk gang said they were quitting ransomware encryption and as a substitute focus on information theft and extortion.
On the finish of Might, the Babuk information leak web site had a design refresh the place the ransomware gang rebranded as a brand new group referred to as ‘payload bin,’ proven beneath.
On Thursday, BleepingComputer discovered a brand new ransomware pattern referred to as PayloadBIN [VirusTotal] that we instantly assumed was associated to the rebranding of Babuk Locker.
When put in, the ransomware will append the .PAYLOADBIN extension to encrypted recordsdata, as proven beneath.
Moreover, the ransom notice is known as ‘PAYLOADBIN-README.txt‘ and states that the sufferer’s “networks is LOCKED with PAYLOADBIN ransomware.”
After discovering the pattern, BleepingComputer thought Babuk was mendacity about their intentions to maneuver away from ransomware and rebranded to a brand new title.
Nevertheless, after analyzing the brand new ransomware, each Fabian Wosar of Emsisoft and Michael Gillespie of ID Ransomware confirmed that the ransomware is a rebranding of Evil Corp’s earlier ransomware operations.
Seems to be like EvilCorp is attempting to move off as Babuk this time. As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker as soon as once more as PayloadBin in an try to trick victims into violating OFAC rules. Pattern: https://t.co/k669bbaNyV
— Fabian Wosar (@fwosar) June 5, 2021
WastedLocker -> Hades -> Phoenix -> PayloadBin, all similar malware/group behind it. Most likely just a few in-between do not care to recall for the time being.
— Michael Gillespie (@demonslay335) June 5, 2021
Whereas discussing why they’d have impersonated one other cybercrime group, Wosar felt that they noticed and took a possibility to impersonate a hacking group that isn’t sanctioned.
“Now that they had a gang rebranding and simply took the chance.” – Fabian Wosar.
Because the ransomware is now attributed to a sanctioned hacking group, most ransomware negotiation corporations will possible not assist facilitate funds for victims affected by the PayloadBIN ransomware.