Evil Corp hackers evolve ransomware tactics to dodge US sanctions
The Russia-based cybercriminal group known as Evil Corp has shifted to a ransomware-as-a-service model in an effort to skirt U.S. sanctions, according to research from cybersecurity firm Mandiant. The U.S. Treasury’s Office of Foreign Assets Control, or OFAC, sanctioned Evil Corp in December 2019, citing the group’s extensive development of Dridex malware, which the gang used to steal more than $100 million from hundreds of banks and financial institutions. Since, Mandiant researchers have observed a number of ransomware intrusions attributed to a threat actor which it tracked as an as-of-yet uncategorized threat group dubbed UNC2165, which the threat intelligence firm says shares “numerous overlaps” with Evil Corp and likely represents another evolution in Evil Corp affiliated actors’ operations. UNC2165 is a group that Mandiant has tracked since 2019, which almost exclusively obtains access to networks through an infection chain that Mandiant calls “FakeUpdates,” in which victims are tricked into opening under the guise of a browser update.