Evil Corp affiliates are using off-the-shelf ransomware to evade sanctions

Researchers found a number of similarities between Evil Corp and a new group of attackers.
Financial hacker
(Getty Images)

Hackers likely affiliated with the notorious Russian cybercrime group Evil Corp are using off-the-shelf ransomware to evade U.S. sanctions, researchers at security firm Mandiant have found.

The researchers’ observations, published Thursday, are just the latest example of how cybercriminals affiliated with Evil Corp have shifted tactics after U.S. sanctions in 2019 increased scrutiny over transactions with the group.

The group, which had already started pivoting from broader financial crimes to ransomware prior to 2019, has since been tied by multiple researchers to a number of different malware strains including WASTEDLOCKER and HADES ransomware.

But as those strains became synonymous with Evil Corp, users have had to adjust. For instance, after an October 2020 Treasury Department advisory tying WASTEDLOCKER to the group, researchers noticed a drop in activity using the malware. Researchers at Emsisoft even observed Evil Corp affiliates masquerading last year as another notorious group, REvil, to evade sanctions.


Treasury sanctioned Evil Corp in 2019 for its development and distribution of Dridex, a malware used to infiltrate hundreds of financial institutions in more than 40 countries, leading to millions of dollars in damages.

Now, affiliates whom researchers group as “UNC2165” have since taken cover with LOCKBIT, a ransomware-as-a-service with ties to a number of different threat actors.

“The adoption of existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp,” the Mandiant researchers write. “Both the prominence of LOCKBIT in recent years and its successful use by several different threat clusters likely made the ransomware an attractive choice.”

Also in 2019, prosecutors indicted two Russian nationals, Maksim Yakubets and Igor Turashev, in connection with Evil Corp. Yakubets was accused of providing direct assistance to the Russian government.

Despite scrutiny from the U.S. government, the notorious and prolific Russian crime group has continued to go after U.S. targets. Evil Corp was accused of launching a cyberattack against U.S. media company Sinclair Broadcast Group in October.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts