The new ransomware nicknamed PayloadBIN was attributed to Evil Corp. The cybercrime gang tried to impersonate another ransomware gang in an attempt to evade US sanctions.
The Evil Corp gang, also known as Indrik Spider and the Dridex gang, started as ZeuS botnet operators and evolved into a ransomware operation BitPaymer. After the US government sanctioned Evil Corp for its ransomware attacks in 2019, many ransomware negotiation firms refused to accept ransom payments from Evil Corp’s victims. That’s why Evil Corp started renaming their ransomware operations so that they could evade the sanctions.
Last week, BleepingComputer discovered a new ransomware called PayloadBIN. It was initially believed that it was related to the rebranding of the Babuk Locker because, at the end of May, the Babuk ransomware gang rebranded as a new group called ‘payload bin.’ BleepingComputer researchers noticed that the ransomware would add a .PAYLOADBIN extension to the encrypted files. In addition, the ransom note also states that the victim’s networks are “LOCKED with PAYLOADBIN ransomware.”
However, after analyzing the new ransomware, security experts from Emsisoft and ID Ransomware have confirmed that it’s a rebranding of Evil Corp’s previous operations.
While discussing why they would impersonate a cybercrime group, Fabian Wosar, CTO of Emsisoft, said that they saw an opportunity to do so and took advantage of it.
“Looks like EvilCorp is trying to pass off as Babuk this time. As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations,” Wosar tweeted.
Due to the revelations about the PayloadBIN ransomware, most ransomware negotiation firms are not going to help the sanctioned hacking group get paid, BleepingComputer said.