Notorious Russian ransomware gang Evil Corp. reportedly hit Sinclair Broadcast Group

The group appears to be trying to circumvent U.S. sanctions with another iteration of its malware.
(Photo by William Thomas Cain/Getty Images)

Evil Corp., one of the most notorious and prolific Russian cybercrime groups in recent years with a leader who has been accused of working with Russian intelligence, was reportedly behind last weekend’s cyberattack on Sinclair Broadcast Group.

The revelation, first reported by Bloomberg Wednesday, is noteworthy because the U.S. Treasury department sanctioned the group in December, 2o19, making any U.S. company’s transactions with it illegal. The group used a new strain of malware called Macaw in the Sinclair attack, said Allan Liska, a senior threat analyst at Recorded Future.

The Justice Department also announced a sealed indictment against Evil Corp. leader Maksim Yakubets in 2019 the same day as the Treasury sanctions. The U.S. government accused Yakubets and another Russian national, Igor Turashev, of being behind malware strains known as Bugat and Dridex, which authorities say hackers employed to target hundreds of banks in more than 40 countries and net the group at least $100 million.

The U.S. government also accused Yakubets of providing “direct assistance” to the Russian spy agency the Federal Security Service, also known as the FSB.


A Sinclair spokesperson did not immediately respond to a request for comment. The company is the second-largest TV station operator in the U.S., owning or operating 21 regional sports network brands, 185 television stations in 86 markets, and multiple national networks. A force in local and community news, the company has been accused of pushing a coordinated politically conservative agenda in the past.

Liska said Evil Corp.’s status means the group has to “swap out [malware] families to trick companies into paying them.”

Evil Corp.’s malware has varied over the years and carried different names. Liska and Emsisoft threat analyst Brett Callow said Macaw represents the latest iteration of a malware strain called WastedLocker, which was introduced after the U.S. sanctions in an attempt to distance the group from previous tools, according to research that CrowdStrike published in March.

Latest Podcasts