The group used their vast botnet of computers infected with the Dridex malware to look for corporate networks and then deploy BitPaymer on the largest entrprise targets they could identify.
The group operated BitPaymer between 2017 and 2019 when new infections started dropping off. The reasons are unclear, but the slowdown in BitPaymer infections may have also had something to do with the Dridex botnet slowing down its activity between 2017 and 2019.
AFTERMATH OF THE DOJ CHARGES
Fox-IT says that this slowdown culminated with the DOJ charges filed in December 2019. Following the high-profile indictments, the group went silent for a full month until January 2020.
According to Fox-IT, the group came back to life in January and spurted a few malware campaigns, usually for other crooks, until March, when they again went silent.
However, when the group returned to life for the second time in 2020, they did so with new tools. Fox-IT says the group created a new ransomware strain to replace the aging BitPaymer variant that they’ve been using since early 2017.
The actual reasons for replacing BitPaymer are shrouded in mystery; however, Fox-IT, says this replacement appears to be a totally new ransomware strain, written from scratch.
EVIL CORP STARTS DEPLOYING WASTEDLOCKER
Fox-IT says it named this new ransomware WastedLocker based on the file extension it adds to encrypted files, usually consisting of the victim’s name and the string “wasted.”
Security researchers say that an analysis of this new ransomware has revealed little code reuse or code similarities between BitPaymer and WastedLocker; however, some similarities still remain in the ransom note text.
In an interview with ZDNet earlier today, Fox-IT says they’ve been tracking the use of this new ransomware family since May 2020. They say the ransomware has been exclusively deployed against US companies.
“Ransom demands that are asked by Evil Corp are now typically into the millions,” Maarten van Dantzig, Fox-IT security researcher, told ZDNet today.
“We’ve seen demands of more than $10 million,” he added.
Fox-IT said it wasn’t able to confirm if any of the WastedLocker victims paid the ransom demands.
Nonetheless, they say Evil Corp operators are extremely aggressive when deploying the new WastedLocker ransomware.
“Typically, they hit file servers, database services, virtual machines, and cloud environments,” researchers said.
Furthermore, the Fox-IT team says Evil Corp will also try to disrupt backup applications and related infrastructure in an attempt to increase the time needed for companies to recover. In case companies don’t have offline backups, deleting backups almost certainly pushes victims towards paying the ransom — if they can afford Evil Corp’s new multi-million-dollar “decryption prices.”
“Based on samples submitted to VirusTotal we would estimate that WastedLocker was already used as ransomware payload in a handful of cases — around 5, likely more though,” Michael Sandee, Fox-IT security researcher, told ZDNet.
NO DATA THEFT OR LEAK SITE
Still, Fox-IT says that Evil Corp has not done one thing that’s very popular with other ransomware gangs right now.
Despite spending all that time developing a brand new ransomware strain, WastedLocker doesn’t include any data theft functions.
Nowadays, almost 10-to-15 ransomware gangs will infect a company network, steal proprietary data, and then threaten to publish the files online, on so-called leak sites or file-sharing portals.
Evil Corp does nothing of the sort, Fox-IT said. This doesn’t mean the group can’t do it, but rather that they chose not to do it. Fox-IT experts say leaking stolen data usually brings a lot of media attention, something the hackers are likely trying to avoid since some of their members are already on the FBI’s Cyber Most Wanted list and don’t want US authorities prioritizing their arrests.
