Evil Corp Switches to Ransomware-as-a-Service to Evade US Sanctions
Evil Corp—or at least a hacking group affiliated with it—is mixing things up. Mandiant reports that a threat actor it's been tracking as UNC2165 appears to be related to the cybercrime group, which was sanctioned by the US Treasury Department in 2019 for using "the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft."
Those sanctions prevent organizations from paying a ransom to restore access to their systems. Financially motivated threat actors like Evil Corp aren't targeting organizations for the fun of it, or looking to further a nation-state's agenda, so they have to maximize their chances of getting paid. That means they need to make it harder for their victims to identify them.
Which is why Mandiant says that hacking groups affiliated with Evil Corp have used a variety of ransomware strains over the last two years. The groups initially used WastedLocker, but after that ransomware's connection to Evil Corp was revealed, they switched to a ransomware family known as Hades. Now they've started using a ransomware-as-a-service (RaaS) called Lockbit.