Evil Corp cybercrime gang (aka the Dridex gang or INDRIK SPIDER) was spotted using Hades ransomware to evade sanctions imposed by the Treasury Department’s Office of Foreign Assets Control (OFAC), BeepingComputer reports.
Active since at least 2007, Evil Corp is known for distributing the Dridex malware and lately ransomware, such as Locky and BitPaymer.
The U.S. Treasury Department imposed sanctions on Evil Corp gang members in December 2019. This means Evil Corps’ victims would violate the sanctions if they want to pay Evil Corp’s ransom.
In 2020, Evil Corp started to use new WastedLocker ransomware to circumvent the sanctions, and since recent, turned to a 64-bit variant of WastedLocker known as Hades to bypass the sanctions and monetize their attacks. The upgraded toolset comes with supplementary code obfuscation and several minor feature changes.
“Hades ransomware shares the majority of its functionality with WastedLocker; the ISFB-inspired static configuration, multi-staged persistence/installation process, file/directory enumeration, and encryption functionality are largely unchanged,” CrowdStrike said.
Hades received some minor modifications, and some features had been removed including those that were most characteristic of INDRIK SPIDER’s previous ransomware families — WastedLocker and BitPaymer.
Once Hades encrypts the victim’s system, it creates a ransom note in ‘HOW-TO-DECRYPT-[extension].txt’ file in the style after REvil ransomware. The victim is provided with a Tor URL with Tox messenger address they can use to get in touch with Evil Corp.
The U.S. Treasury Department’s sanctions and indictments have greatly impacted the Evil Corp group and their ability to successfully monetize their criminal operations.
CrowdStrike explains that to circumvent the sanctions and get payments, Evil Corp adopted a new tactic in which they exfiltrate data from victims to elicit payments:
“INDRIK SPIDER’s move to this ransomware variant also came with another shift in tactics: the departure from using email communication and the possibility of exfiltrating data from victims to elicit payments.”
“The continued development of WastedLocker ransomware is the latest attempt by the notorious adversary to distance themselves from known tooling to aid them in bypassing the sanctions imposed upon them,” CrowsStrike concluded.