Evil Corp new campaigns: $40 million ransom demands by Macaw ransomware

The known Russian cybercriminal gang linked to recent ransomware attacks

Russian hacker group reportedly responsible for large attacks. One of them on Sinclair Broadcast Group over the weekend

The new Macaw Locker attacks linked with the Russian hacker group Evil Corp.^[1] The newest ransomware has functions that help creators to gain profit and malware to evade US sanctions that got created to prevent ransom payments. Malicious actors have been stationed by the US in 2019.^[2]

This group is known by other names like IndrikSpider, Dridex group, Hades, PayloadBin, and has been changing these names to avoid detection and termination of their activities. These names were created for particular operations because, due to the sanctions, ransomware negotiation firms stay away from facilitating payments related to the Evil Corp.

The cybercriminal gang has been active at least since 2007, starting as affiliates to other criminal groups.^[3] They got more popular and active once Dridex malware was created and spread during phishing attacks. Now hackers move on with their activities by releasing the ransomware threat. The group launched BitPaymer ransomware before that also used Dridex as a vector.

The newest addition in the threat family- Macaw Locker

This ransomware acts as a common cryptovirus – it locks files by encrypting them and appends data using .macaw extension. This appendix appears at the end of the original name of the file right after the original file type indicator. The threat then moves on with ransom note delivery, so the macaw_recover.txt gets placed on various folders with affected data and on the desktop.

The negotiation page is developed for every specific victim. Creators of the Macaw Locker can then list the campaign ID and contact information like the Tor site on the text file. The page that people end up on once the link is clicked shows the introduction and explanation of what happened to the company and how to decrypt the affected files. Three files can be presented for free decryption, and negotiations may start there.

Since the Macaw Locker ransomware has been identified and linked with Evil Corp, based on previous behavior, attackers should rebrand and change the name of the ransomware once again to evade sanctions. Unfortunately, it is less likely that this game will end soon since the hacker group manages to run actively and as silently as they can to avoid sanctions, and this will go on until those get lifted completely.

Sinclair broadcast hack linked with the gang

This past month, more specifically, the last weekend was, apparently big for ransomware creators. The Olympus and Sinclair Broadcast Group got affected by the ransomware.^[4] Operations got disrupted, and the ransomware attack significantly affected the security state of the networks. The TV broadcasters had to stop news shows, and reporters got forced to use pen and paper, rely on social media livestreams.

At the time, there were no details on the malware in particular, but as this week went on, the Macaw Locker ransomware was reported as the one responsible for the Olympus attack as well as the Sinclair incident.^[5] Further analysis shows that this is the product of the Evil Corp group and that the particular attackers asked for up to $40 million in ransom from other victims.

These details got released when a source accessed the private ransomware victim page for two attacks where the ransom demand of 450 Bitcoin showed up. However, these two reported companies are the only targets known today. It is unknown how many other organizations suffered and the names of those companies.