Evil Corp has launched a new type of ransomware called Macaw Locker to evade US sanctions that prevent them from receiving ransom payments.
The Evil Corp (aka Indrik Spider and Dridex) is a group of hackers that now mainly carries out ransomware attacks. They started distributing a banking trojan called Dridex in phishing attacks. Evil Corp later launched Bitpaymer, a ransomware that was delivered through Dridex. It targeted corporate networks.
Due to their activity, the Evil Corp was sanctioned by the US government, and as a result, many firms that deal in ransom payments would no longer process them.
Evil Corp started creating various other ransomware operations to bypass US sanctions, such as WastedLocker, Hades, Phenoix Locker, and PayloadBin. DoppelPaymer, recently rebranded as Grief, is another ransomware family that is believed but not proven to be affiliated with Evil Corp.
The most recent attacks, which were carried out by new ransomware called Macaw Locker, affected the operations of Olympus and Sinclair Broadcast Group. It caused their TV broadcasts to be canceled.
Fabian Wosar, the CTO of Emsisoft, told BleepingComputer that based on code analysis, the new ransomware, MacawLocker, is a rebranding of Evil Corp’s existing malware.
BleepingComputer’s sources also shared the private victim pages for the two attacks, where the attackers demanded $28 million for one attack and $40 million for the other.
The Macaw Locker ransomware encrypts the files of its victims and appends the .macaw file extension, and drops a ransom note in folders. The ransom note contains a unique negotiation page for the victim on the Macaw Locker’s Tor site.
The dark web negotiation site contains tools and services that allow users to negotiate with the attackers. These include a chatbox and a tool to decrypt three files for free.