Evil Corp impersonates PayloadBin hackers to overcome imposed sanctions

Russian hackers had to pretend to be another gang due to charges in 2019

Evil Corp impersonates PayloadBin hackers to overcome imposed sanctionsRussian hacker group Evil Corp strikes with new ransomware

The Evil Corp gang, also known as the Dridex gang and Indrip Spider, has released new ransomware into the wild and called it PayloadBin. The name would suggest that the cybercriminal group by the same name is distributing the dangerous malware.

But cybersecurity specialists have received and analyzed the sample ransomware files and have found[1] out that Evil Corp is impersonating another hacker group by the name of PayloadBin to overcome sanctions imposed by the US Treasury Department's Office of Foreign Assets Control on them in 2019.

These sanctions forbid ransomware negotiation companies from dealing with the hacker gang. The hacker group started as an associate to ZeuS botnet but made the first pages worldwide for distributing the Dridex banking trojan[2] with the capability of downloading additional malware onto an infected device.

Evil Corp group responsible for over $100 million in theft

With its Dridex trojan (also known as Bugat and Cridex), which primary delivery method was via phishing emails,[3] the gang managed to steal login credentials of banks and other financial institutions from over 40 countries. A report[4] by the U.S. Treasury Department shows that the gang managed to obtain north of $100 million from its victims. The press release stated:

This malicious software has caused millions of dollars of damage to U.S. and international financial institutions and their customers.

Once malware revolutionized and file-locking parasites were created, the Evil Corp gang started to deliver its BitPaymer ransomware[5] through their Dridex trojans. Its main targets were mid to large size organizations that would have the ability to pay large sums.

Due to the magnitude of the attacks and the stolen amount of money, The U.S. Department of Justice has issued arrest warrants for two Russian citizens – Maksim V. Yakubets and Igor Turashev. For information leading to the arrest of Yakubets, a $5 million reward is offered.

Along with these charges, 15 more Russian citizens with links to the Evil Group were sanctioned. All ransomware negotiation firms in the US were prohibited from dealing with these criminals. Hence, when releasing new ransomware, the group used the name of another hacker company to bypass these sanctions.

What is PAYLOADBIN ransomware, and who's distributing it?

Ransomware is an extremely hazardous computer infection that locks personal data (documents, databases, pictures, etc.) on a targeted computer or network and demands a ransom to be paid, usually in Bitcoins for the necessary decryption tool or software. More advanced ones could download some or all of the files from an infected device and hold it as leverage until victims succumb to the demands of their assailants.

On May 3, 2021, researchers[6] have found a new ransomware variant. Since this type of malware gets its name from the appended file extension when encrypting the files, it was named Payloadbin. Since there's a hacker group with the same name( after changing it from Babuk), it was automatically presumed that it was responsible for releasing a new cyber threat.

But since the group has reportedly turned away from ransomware to focus on data-theft extortion, it raised suspicion. Only after a thorough analysis of the new ransomware, it became evident that Evil Corp hackers named their new infection mimicking another group to evade sanctions.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions