Tuesday, June 15, 2021

Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions

The hackers specifically renamed their ransomware in order to mimic the new Babuk operators' project

Operators of new ransomware PayloadBIN, linked to the cybercriminal group Evil Corp, are trying to avoid sanctions imposed by the Office of Foreign Assets Control of the US Treasury Department (OFAC).

Members of Evil Corp (also known as Indrik Spider and Dridex) started out as partners with the ZeuS botnet operators.

Over time, Evil Corp formed its own group that focused on distributing a banking Trojan called Dridex via phishing emails. When the gangs began to move towards high-yield ransomware attacks, Evil Corp used BitPaymer ransomware, which was spread by the Dridex malware to compromised corporate networks.

Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions
Babuk Tor site turned into Payload Bin site Source: MalwareHunterTeam

Following sanctions by the U.S. government in 2019, firms negotiating with ransomware operators refused to pay ransoms for Evil Corp’s attacks to avoid fines or lawsuits from the U.S. Treasury Department.

WastedLocker, Hades and Phoenix to circumvent these sanctions.

Recall that at the end of April this year, Babuk operators announced the termination of their activities. However, two weeks later, the hackers made themselves felt again, presenting a new project, Payload Bin.

Although hackers are no longer going to steal data and demand ransom for it, they will provide such an opportunity for other cybercriminals who do not have their own name and site of leaks.

Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions
Files encrypted by PayloadBIN

BleepingComputer discovered a new ransomware sample called PayloadBIN on the VirusTotal service and initially suggested that the malware was associated with the Babuk Locker rebranding.

Once installed, the ransomware adds the.PAYLOADBIN extension to encrypted files. In addition, the ransom note is called PAYLOADBIN-README.txt and informs the victim that “the networks are BLOCKED using the PAYLOADBIN ransomware.”

Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions
PayloadBIN ransom note

Babuk was alleged to have lied about its intentions to ditch the ransomware. However, after analyzing the new ransomware, experts Fabian Wosar from Emsisoft and Michael Gillespie from ID Ransomware confirmed that the program actually belongs to Evil Corp.

As Vosar suggested, the hackers saw and seized the opportunity to impersonate another group that was not sanctioned.

Catch up on more articles here

Follow us on Twitter here

Latest news

Related news

- Advertisement -spot_img