Evil Corp: A Deep Dive Into One of the World’s Most Notorious Hacker Groups

Digital illustration of the Guy Fawkes mask.

Evil Corp has carried out several sophisticated attacks since it first burst onto the online scene. But just how dangerous are they?

In 2019, the United States Justice Department filed charges against Russian national Maksim Yakubets, offering a $5 million reward for information leading to his arrest.

No one has come forward with information that would allow US authorities to capture the elusive and mysterious Yakubets thus far. He is still at large, as the leader of Evil Corp—one of the most notorious and successful hacker groups of all time.

Active since 2009, Evil Corp—also known as the Dridex gang or INDRIK SPIDER—has wagered a sustained assault on corporate entities, banks, and financial institutions around the world, stealing hundreds of millions of dollars in the process.

Let’s take a look at just how dangerous this group is.

The Evolution of Evil Corp

Evil Corp’s methods have changed considerably over the years, as it gradually evolved from a typical, financially motivated black hat hacker group to an exceptionally sophisticated cybercrime outfit.

When the Justice Department indicted Yakubets in 2019, the US Treasury Department‘s Office of Foreign Assets Control (OFAC) issued sanctions against Evil Corp. Since the sanctions also apply to any company that pays a ransom to Evil Corp or facilitates a payment, the group has had to adapt.

Evil Corp has used a vast arsenal of malware to target organizations. The following sections will look at the most notorious ones.

Dridex

Also known as Bugat and Cridex, Dridex was first discovered in 2011. A classic banking trojan that shares many similarities with the infamous Zeus, Dridex is designed to steal banking information and is typically deployed through email.

Using Dridex, Evil Corp has managed to steal more than $100 million from financial institutions in over 40 countries. The malware is constantly updated with new features and remains an active threat globally.

Locky

Locky infects networks via malicious attachments in phishing emails. The attachment, a Microsoft Word document, contains macro viruses. When the victim opens the document, which is not readable, a dialogue box with the phrase: “Enable macro if data encoding is incorrect” appears.

This simple social engineering technique usually tricks the victim into enabling the macros, which save and run as a binary file. The binary file automatically downloads the encryption Trojan, which locks files on the device and directs the user to a website demanding a ransom payment.

Bart

Bart is usually deployed as a photo via phishing emails. It scans files on a device looking for certain extensions (music, videos, photos, etc.) and locks them in password-protected ZIP archives.

Once the victim tries to unpack the ZIP archive, they are presented with a ransom note (in English, German, French, Italian, or Spanish, depending on the location) and told to submit a ransom payment in Bitcoin.

Jaff

When first deployed, Jaff ransomware flew under the radar because both cybersecurity experts and the press focused on WannaCry. However, that doesn’t mean it’s not dangerous.

Much like Locky, Jaff arrives as an email attachment—usually as a PDF document. Once the victim opens the document, they see a pop-up asking whether they want to open the file. Once they do, macros execute, run as a binary file, and encrypt files on the device.

BitPaymer

Evil Corp infamously used the BitPaymer ransomware to target hospitals in the UK in 2017. Developed for targeting major organizations, BitPaymer is typically delivered via brute-force attacks and demands high ransom payments.

More recent iterations of BitPaymer have circulated through fake Flash and Chrome updates. Once it gains access to a network, this ransomware locks files using multiple encryption algorithms and leaves a ransom note.

WastedLocker

After being sanctioned by the Treasury Department, Evil Corp went under the radar. But not for long; the group reemerged in 2020 with new, complex ransomware called WastedLocker.

WastedLocker usually circulates in fake browser updates, often displayed on legitimate websites—such as news sites.

Once the victim downloads the fake update, WastedLocker moves to other machines on the network and performs privilege escalation (obtains unauthorized access by exploiting security vulnerabilities).

After execution, WastedLocker encrypts virtually all files it can access and renames them to include the victim’s name along with “wasted,” and demands a ransom payment between $500,000 and $10 million.

Hades

First discovered in December 2020, Evil Corp’s Hades ransomware appears to be an updated version of WastedLocker.

After obtaining legitimate credentials, it infiltrates systems through Virtual Private Network (VPN) or Remote Desktop Protocol (RDP) setups, usually via brute-force attacks.

Upon landing on a victim’s machine, Hades replicates itself and relaunches through the command line. An executable then launches, allowing the malware to scan the system and encrypt files. The malware then leaves a ransom note, directing the victim to install Tor and visit a web address.

Notably, web addresses Hades leaves are customized for each target. Hades appears to have exclusively targeted organizations with annual revenues exceeding $1 billion.

PayloadBIN

Evil Corp appears to be impersonating the Babuk hacker group and deploying the PayloadBIN ransomware.

First spotted in 2021, PayloadBIN encrypts files and adds “.PAYLOADBIN” as a new extension, and then delivers a ransom note.

Suspected Ties to Russian Intelligence

The security consulting company Truesec‘s analysis of ransomware incidents involving Evil Corp revealed that the group has used similar techniques Russian government-backed hackers used to carry out the devastating SolarWinds attack in 2020.

Though extremely capable, Evil Corp has been rather nonchalant about extracting ransom payments, the researchers found. Could it be that the group deploys ransomware attacks as a distraction tactic to conceal its true goal: cyber espionage?

According to Truesec, evidence suggests that Evil Corp has “morphed into a mercenary espionage organization controlled by Russian Intelligence but hiding behind the façade of a cybercrime ring, blurring the lines between crime and espionage.”

Yakubets is said to have close ties to the Federal Security Service (FSB)—the main successor agency to the Soviet Union’s KGB. He reportedly married high-ranking FSB officer Eduard Bendersky’s daughter in the summer of 2017.

Where Will Evil Corp Strike Next?

Evil Corp has grown into a sophisticated group capable of carrying out high-profile attacks on major institutions. As this article highlights, its members have proven they can adapt to different adversities—making them even more dangerous. Although nobody knows where they’ll strike next, the group’s success highlights the importance of protecting yourself online and not clicking on suspicious links.

Evil Corp: A Deep Dive Into One of the World’s Most Notorious Hacker Groups

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.