The Russian attack group responsible for distributing the Dridex malware and BitPaymer ransomware and was the target of sanctions from the Department of Justice last year has reemerged with a new strain of ransomware called WastedLocker and an updated distribution framework to install it on victims’ machines.
The group is known variously as Evil Corp and TA505 and has been active in the cybercrime world for many years, stealing tens of millions of dollars from its victims. Evil Corp’s most famous tool is Dridex, a banking trojan that is usually delivered through malicious email attachments. The group also has deployed ransomware known as BitPaymer in the past, but has mostly been seen using Dridex, as it has been wildly successful for them. Researchers and law enforcement officials have been tracking Evil Corp for years, and in December the Department of Justice charged several alleged members of the group with a number of crimes and the Department of State offered a reward of up to $5 million for information leading to the arrest of Maksim Yakubetes, the alleged leader of the group.
Dridex has been a highly effective tool for Evil Corp and it has allowed the group to target victims around the world.
“Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group. As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses,” the Justice Department said in its release in December.
“In particular, Evil Corp heavily targets financial services sector organizations located in the United States and the United Kingdom. Through their use of the Dridex malware, Evil Corp has illicitly earned at least $100 million, though it is likely that the total of their illicit proceeds is significantly higher.”
After the U.S. actions against Evil Corp, the group’s activities fell off for a few weeks before resuming in January. Four months later, researchers at NCC Group saw Evil Corp attackers using a previously unknown ransomware variant that they named WastedLocker. The new variant does not share many characteristics with the earlier BitPaymer ransomware and Evil Corp is using WastedLocker carefully, going after specific targets inside networks that cause the most havoc for the victim organization.
“Evil Corp are selective in terms of the infrastructure they target when deploying their ransomware. Typically, they hit file servers, database services, virtual machines and cloud environments. Of course, these choices will also be heavily influenced by what we may term their ‘business model’ – which also means they should be able to disable or disrupt backup applications and related infrastructure. This increases the time for recovery for the victim, or in some cases due to unavailability of offline or offsite backups, prevents the ability to recover at all,” Nikolaos Pantazapoulos, Stefano Antenucci, and Michael Sandee of NCC Group wrote in an analysis of the new ransomware.
Unlike most ransomware, WastedLocker does not come preloaded with a list of specific file extensions to search for encrypt, but has an exclusion list of directories and files not to target. For example, it excludes executables, binaries, and DLLs, among many others. The encryption routine is simple, using AES and a new key for every file. The ransom demand is not included in the ransom note and victims are instructed to send an email to one of two unique addresses in order to find out the price for decryption.
Unlike some of the more recent ransomware campaigns, Evil Corp does not appear to be using WastedLocker to steal and leak sensitive data from victims. The NCC Group researchers theorize that this could be an effort to avoid drawing even more attention from law enforcement agencies. The group has a long-term view of operations and no shortage of resources to call on.
“The group has access to highly skilled exploit and software developers capable of bypassing network defences on all different levels,” the researchers said.
“It appears the group regularly finds innovative but practical approaches to bypass detection in victim networks based on their practical experience gained throughout the years. They also demonstrate patience and persistence. In one case, they successfully compromised a target over 6 months after their initial failure to obtain privileged access.”