ZDNet is reporting Evil Corp, one of the biggest malware operations on the internet, has slowly returned to life after several of its members were charged by the US Department of Justice in December 2019. In a report shared with ZDNet today, Fox-IT, a division within the NCC Group, has detailed the group’s latest activities following the DOJ charges. According to Fox-IT, the group returned in January and spurted a few malware campaigns, usually for other crooks, until March, when they again went silent. Fox-IT says when Evil Corp returned for the second time in 2020 the group created a new ransomware strain to replace the aging BitPaymer variant that they’ve been using since early 2017. Fox-IT named this new ransomware WastedLocker based on the file extension it adds to encrypted files, usually consisting of the victim’s name and the string “wasted.” Security researchers say that an analysis of this new ransomware has revealed little code reuse or code similarities between BitPaymer and WastedLocker; however, some similarities still remain in the ransom note text.

Subscribe
Notify of
guest

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Chris Clements
Chris Clements , VP
InfoSec Expert
June 24, 2020 11:08 am

It is interesting that Evil Corp’s new WastedLocker ransomware did not include any data theft functionality. As organizations have developed more awareness and resiliency to classical ransomware campaigns we’ve seen cyber criminals shift to other forms of extortion such as threatening to disclose sensitive private information. Evil Corp seems to have simply moved to increased ransom payment demands of millions of dollars or more. This makes sense from the cybercriminal’s perspective. In many cases they are successfully able to find and delete a company’s backups before running their ransomware. Then they know they’ve got you. The victim has to do a calculation on if their operations are worth more than the ransom demand. Often times the answer is “yes”.

Last edited 2 years ago by Chris Clements
Erich Kron
Erich Kron , Security Awareness Advocate
InfoSec Expert
June 24, 2020 9:35 am

It\’s not really surprising to see this group getting back into the ransomware game after a bit of an absence. Now it seems we know why they were gone for a little while — they were working on this new strain of ransomware. I\’ve often joked about products that are marketed as new AND improved, however, in this case, that does seem to be the truth. A lot of effort went into writing this, apparently from scratch, where generally we can expect to see a variant of a previous strain, or at least some code reuse, within the new product. Interestingly enough, it seems the only similarities lie in the ransom note.

Another unusual thing is that they are not exfiltrating data. Since that has been the hot trend in new versions of ransomware, or even older ones being adapted to also exfiltrate data, it is interesting to see this without those capabilities. For the Evil Corp gang, it does simplify things quite a bit, as they don\’t have to deal with the storage and publishing of the exfiltrated data or risk tipping their hand as the data is moved out of the network prior to encryption. Their price tags are big enough that we can assume they will be happy with getting just a few victims to pay up. They do seem to have a pretty good plan that covers how to make that happen by targeting specific types of servers and looking for backups wherever they can find them. Once ransomware encrypts your backups, your choices become very limited as to how to proceed.

To defend against Evil Corp and WastedLocker, organisations need to ensure they have backups either offsite or in a location that is not network accessible. In addition, because we know the primary attack vector for Evil Corp is phishing emails, organisations need to ensure their end users are trained to spot and report phishing attacks quickly. The reporting aspect, something that a lot of organisations lack, is a critical piece, as it allows the security team to take steps to remove potential phishing emails from other members of the organisation who may have been targeted in that campaign.

Last edited 2 years ago by Erich Kron
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x