Evil Corp Cybercrime Group Shifts to LockBit Ransomware to Evade Sanctions

The threat cluster dubbed UNC2165, which shares numerous
overlaps with a Russia-based cybercrime group known as Evil Corp,
has been linked to multiple LockBit ransomware intrusions in an
attempt to get around sanctions^[1]
imposed by the U.S. Treasury in December 2019.

“These actors have shifted away from using exclusive ransomware
variants to LockBit — a well-known ransomware as a service (RaaS) —
in their operations, likely to hinder attribution efforts in order
to evade sanctions,” threat intelligence firm Mandiant noted^[2]
in an analysis last week.

Active since 2019, UNC2165 is known to obtain initial access to
victim networks via stolen credentials and a JavaScript-based
downloader malware called FakeUpdates^[3]
(aka SocGholish), leveraging it to previously deploy Hades^[4]
ransomware.

Hades is the work of a financially motivated hacking group named
Evil Corp, which is also called by the monikers Gold Drake and
Indrik Spider and has been attributed to the infamous Dridex^[5]
(aka Bugat) trojan as well as other ransomware strains such as
BitPaymer, DoppelPaymer, and WastedLocker over the past five
years.

UNC2165’s pivot from Hades to LockBit as a sanctions-dodging
tactic is said to have occurred in early 2021.

Interestingly, FakeUpdates has also, in the past, served as the
initial infection vector for distributing Dridex that then was used
as a conduit to drop BitPaymer and DoppelPaymer onto compromised
systems.

Mandiant said it noted further similarities between UNC2165 and
an Evil Corp-connected cyber espionage activity tracked by Swiss
cybersecurity firm PRODAFT under the name SilverFish^[6]
aimed at government entities and Fortune 500 companies in the E.U
and the U.S.

A successful initial compromise is followed by a string of
actions as part of the attack lifecycle, including privilege
escalation, internal reconnaissance, lateral movement, and
maintaining long-term remote access, before delivering the
ransomware payloads.

With sanctions used as a means to rein in ransomware attacks, in
turn barring victims from negotiating with the threat actors,
adding a ransomware group to a sanctions list — without naming the
individuals behind it — has also been complicated by the fact that
cybercriminal syndicates often tend to shutter, regroup, and
rebrand under a different name to circumvent law enforcement.

“The adoption of an existing ransomware is a natural evolution
for UNC2165 to attempt to obscure their affiliation with Evil
Corp,” Mandiant said, while also ensuring that sanctions are “not a
limiting factor to receiving payments from victims.”

“Using this RaaS would allow UNC2165 to blend in with other
affiliates, the company added, stating, “it is plausible that the
actors behind UNC2165 operations will continue to take additional
steps to distance themselves from the Evil Corp name.”

The findings from Mandiant, which is in the process of being
acquired by Google^[7], are particularly
significant as the LockBit ransomware gang has since alleged that
it had breached into the company’s network and stole sensitive
data.

The group, beyond threatening to release “all available data” on
its data leak portal, didn’t specify the exact nature of the
contents in those files. However, Mandiant said there is no
evidence to support the claim.

“Mandiant has reviewed the data disclosed in the initial LockBit
release,” the company told The Hacker News. “Based on the data that
has been released, there are no indications that Mandiant data has
been disclosed but rather the actor appears to be trying to
disprove Mandiant’s June 2, 2022 research on UNC2165 and
LockBit.”