{"id":23642,"date":"2022-06-06T08:16:03","date_gmt":"2022-06-06T12:16:03","guid":{"rendered":"https:\/\/www.technewsday.com\/?p=23642"},"modified":"2022-06-06T08:16:03","modified_gmt":"2022-06-06T12:16:03","slug":"evil-corp-transitions-to-lockbit-to-evade-sanctions","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/evil-corp-transitions-to-lockbit-to-evade-sanctions\/","title":{"rendered":"Evil Corp Transitions To Lockbit To Evade Sanctions"},"content":{"rendered":"<p data-ar-index=\"0\"><span style=\"font-weight: 400;\">The Evil Corp cybercrime gang has now transitioned to deploying LockBit ransomware on their target networks in an effort to avoid sanctions imposed by the U.S. Treasury Department&#8217;s Office of Foreign Assets Control (OFAC).<\/span><\/p>\n<p data-ar-index=\"2\"><span style=\"font-weight: 400;\">Evil Corp, also known as INDRIK SPIDER or the Dridex gang, has been operating since 2007 and is notorious for spreading the Dridex malware and later on moving to the ransomware business.<\/span><\/p>\n<p data-ar-index=\"4\"><span style=\"font-weight: 400;\">In December 2019, the group was sanctioned in the U.S. for wrecking over $100 million in financial damages. It was then that the gang transitioned to installing its new WastedLocker ransomware beginning June 2020.<\/span><\/p>\n<p data-ar-index=\"6\"><span style=\"font-weight: 400;\">As threat analysts from Mandiant have earlier detected, the group is now trying to distance itself from known tooling to enable its victims to pay ransoms without the dangers involved in violating OFAC regulations.<\/span><\/p>\n<p data-ar-index=\"8\"><span style=\"font-weight: 400;\">An activity cluster detected and tracked by Mandiant as UNC2165 is now deploying ransomware as a LockBit affiliate. This cluster has been previously connected with Evil Corp.<\/span><\/p>\n<p data-ar-index=\"10\"><span style=\"font-weight: 400;\">This latest strategy of acting as a Ransomware as a Service (RaaS) operation affiliate would enable the group to utilize the time needed for ransomware development into expanding the group&#8217;s ransomware activities.<\/span><\/p>\n<p data-ar-index=\"12\"><span style=\"font-weight: 400;\">Other experts claim that the transition to other malicious tools gives Evil Corp enough free resources to come up with a new ransomware strain from scratch, thus making it more difficult for security researchers to follow and link the group&#8217;s past operations.<\/span><\/p>\n<p data-ar-index=\"14\"><span style=\"font-weight: 400;\">&#8220;We expect these actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims,&#8221; Mandiant said.<\/span><\/p>\n<p data-ar-index=\"15\">\n<p data-ar-index=\"16\"><span style=\"font-weight: 400;\">For more information, read the <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/evil-corp-switches-to-lockbit-ransomware-to-evade-sanctions\/\" target=\"_blank\" rel=\"noopener\">original story<\/a> in Bleepingcomputer.\u00a0<\/span><\/p>\n<p data-ar-index=\"17\">\n","protected":false},"excerpt":{"rendered":"<p>The Evil Corp cybercrime gang has now transitioned to deploying LockBit ransomware on their target networks in an effort to avoid sanctions imposed by the U.S. Treasury Department&#8217;s Office of Foreign Assets Control (OFAC). Evil Corp, also known as INDRIK SPIDER or the Dridex gang, has been operating since 2007 and is notorious for spreading [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[66,16],"tags":[],"class_list":["post-23642","post","type-post","status-publish","format-standard","hentry","category-open-source","category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=23642"}],"version-history":[{"count":1,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23642\/revisions"}],"predecessor-version":[{"id":23645,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23642\/revisions\/23645"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=23642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=23642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=23642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}