Evil Corp, one of the biggest malware operations on the internet, has slowly returned to life after several of its members were charged by the US Department of Justice in December 2019.
In a report shared with ZDNet today, Fox-IT, a division within the NCC Group, has detailed the group’s latest activities following the DOJ charges.
Evil Corp short history
The Evil Corp group, also known as the Dridex gang, has been active since 2007 when several members previously involved with the ZeuS banking trojan decided to try their own luck at distributing malware.
Ther initial efforts were focused on distributing the Cridex banking trojan, a malware strain that later evolved into the Dridex banking trojan, and later subsequently evolved into the Dridex multi-purpose malware toolkit.
Across the years, Evil Corp, through its Dridex operation became one of the largest malware and spam botnets on the internet. The group distributed their own malware, but also malware for other criminal groups, along with custom spam messaging.
The group dipped their toes into ransomware distribution by spreading the Locky ransomware to home consumers throughout 2016.
As the ransomware market began shifting targeting from home consumers to enterprise targets, the Evil Corp gang adapted as well, and after dropping the Locky strain for good, they created a new custom ransomware named BitPaymer.
The group used their vast botnet of computers infected with the Dridex malware to look for corporate networks and then deploy BitPaymer on the largest entrprise targets they could identify.
The group operated BitPaymer between 2017 and 2019 when new infections started dropping off. The reasons are unclear, but the slowdown in BitPaymer infections may have also had something to do with the Dridex botnet slowing down its activity between 2017 and 2019.
Aftermath of the DOJ charges
Fox-IT says that this slowdown culminated with the DOJ charges filed in December 2019. Following the high-profile indictments, the group went silent for a full month until January 2020.
According to Fox-IT, the group came back to life in January and spurted a few malware campaigns, usually for other crooks, until March, when they again went silent.
However, when the group returned to life for the second time in 2020, they did so with new tools. Fox-IT says the group created a new ransomware strain to replace the aging BitPaymer variant that they’ve been using since early 2017.
The actual reasons for replacing BitPaymer are shrouded in mystery; however, Fox-IT, says this replacement appears to be a totally new ransomware strain, written from scratch.
Evil Corp starts deploying WastedLocker
Fox-IT says it named this new ransomware WastedLocker based on the file extension it adds to encrypted files, usually consisting of the victim’s name and the string “wasted.”
Security researchers say that an analysis of this new ransomware has revealed little code reuse or code similarities between BitPaymer and WastedLocker; however, some similarities still remain in the ransom note text.
In an interview with ZDNet earlier today, Fox-IT says they’ve been tracking the use of this new ransomware family since May 2020. They say the ransomware has been exclusively deployed against US companies.
“Ransom demands that are asked by Evil Corp are now typically into the millions,” Maarten van Dantzig, Fox-IT security researcher, told ZDNet today.
“We’ve seen demands of more than $10 million,” he added.
Fox-IT said it wasn’t able to confirm if any of the WastedLocker victims paid the ransom demands.
Nonetheless, they say Evil Corp operators are extremely aggressive when deploying the new WastedLocker ransomware.
“Typically, they hit file servers, database services, virtual machines, and cloud environments,” researchers said.
Furthermore, the Fox-IT team says Evil Corp will also try to disrupt backup applications and related infrastructure in an attempt to increase the time needed for companies to recover. In case companies don’t have offline backups, deleting backups almost certainly pushes victims towards paying the ransom — if they can afford Evil Corp’s new multi-million-dollar “decryption prices.”
“Based on samples submitted to VirusTotal we would estimate that WastedLocker was already used as ransomware payload in a handful of cases — around 5, likely more though,” Michael Sandee, Fox-IT security researcher, told ZDNet.
No data theft or leak site
Still, Fox-IT says that Evil Corp has not done one thing that’s very popular with other ransomware gangs right now.
Despite spending all that time developing a brand new ransomware strain, WastedLocker doesn’t include any data theft functions.
Nowadays, almost 10-to-15 ransomware gangs will infect a company network, steal proprietary data, and then threaten to publish the files online, on so-called leak sites or file-sharing portals.
Evil Corp does nothing of the sort, Fox-IT said. This doesn’t mean the group can’t do it, but rather that they chose not to do it. Fox-IT experts say leaking stolen data usually brings a lot of media attention, something the hackers are likely trying to avoid since some of their members are already on the FBI’s Cyber Most Wanted list and don’t want US authorities prioritizing their arrests.