On Thursday 2nd of June 2020, Mandiant revealed that the Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). The cybercrime group has been active since 2007 and was originally known for using the Dridex malware but in more recent years, had become a ransomware operation.
Originally, they used the Locky ransomware before deploying their own ransomware strain known as BitPaymer in 2019. But in December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) placed sanctions on the group for using Dridex which has resulted in over $100 million in financial damages.
In response to the sanctions, the group switched to installing a new ransomware strain known as WastedLocker ransomware in June 2020. Although the group switched again back in March 2021 to move to another strain known as Hade ransomware. Since then, the group has been seen using other ransomware strains known as Macaw Locker and Phoenix CryptoLocker. Although this new Mandiant report has revealed that the Evil Corp cybercrime group has now made another attempt to evade sanctions by deploying ransomware as a LockBit affiliate.