Overview
Evil Corp, also known as UNC2165, GOLD DRAKE, and Indrik Spider, is a prolific and sophisticated cybercriminal syndicate operating since at least 2009. Based in Russia, the group is responsible for the development and deployment of several high-impact malware and ransomware variants. Their activities are financially motivated but also show potential links to the Russian government, blurring the lines between cybercrime and state-sponsored activity. The U.S. government has offered a substantial reward for information leading to the arrest of their leader, Maksim Yakubets, highlighting the group’s significance and the international concern surrounding their operations. Their operations have caused hundreds of millions of dollars in damages globally.
Known Aliases of Evil Corp
- UNC2165
- GOLD DRAKE
- Indrik Spider
Country of Origin
Russia
Most Recent Attacks Involving Evil Corp Ransomware Group
- Numerous Banks and Financial Institutions: Evil Corp has targeted hundreds of banks and financial institutions across over 40 countries, resulting in over $100 million in theft (data from 2019).
- Scottish Hospitals (NHS Lanarkshire): In 2017, Evil Corp compromised several Scottish hospitals using BitPaymer ransomware.
- Numerous organizations across various sectors: The group targets finance, government, healthcare, media, transportation, manufacturing, non-profits, technology, and education sectors globally, particularly in the United States and Europe.
MITRE ATT&CK Tactics and Techniques Used by the Evil Corp Ransomware
- Initial Access: Phishing, exploiting software vulnerabilities.
- Execution: Using legitimate security tools and living-off-the-land techniques.
- Persistence: Maintaining persistent access to compromised systems.
- Privilege Escalation: Elevating privileges to gain greater control.
- Defense Evasion: Employing techniques to evade detection.
- Credential Access: Stealing credentials for lateral movement.
- Discovery: Reconnaissance on compromised systems.
- Lateral Movement: Moving between systems within a network.
- Collection: Exfiltrating sensitive data.
- Command and Control: Communicating with command-and-control servers.
- Exfiltration: Transferring stolen data.
- Impact: Data destruction (ransomware), data theft.
Methods of Attack/Infiltration of the Evil Corp Cybercrime Network
Evil Corp employs a multi-stage attack process, often combining various techniques:
- Phishing: Spear-phishing emails are used to deliver malicious payloads.
- Malware Delivery: Malicious attachments or links in phishing emails lead to the installation of malware.
- Exploitation: Exploiting vulnerabilities in software and operating systems.
- Living-off-the-land Techniques: Leveraging legitimate system tools for malicious purposes.
- Lateral Movement: Moving throughout a network to compromise additional systems.
- Data Exfiltration: Stealing sensitive data, including financial and healthcare information.
- Ransomware Deployment: Deploying ransomware to encrypt data and demand a ransom for its release.
Malware/Ransomware Strains Used by the Evil Corp
Evil Corp has developed and utilized a range of malware and ransomware:
- Dridex (formerly Bugat): A powerful information stealer with dynamic command and control capabilities and post-exploitation functionality.
- Zeus: One of the oldest banking trojans, with numerous variants (including GameOver Zeus and JabberZeus).
- GameOver Zeus (GOZ): A Zeus variant designed to deliver ransomware.
- JabberZeus (AquaZeus): A Zeus variant with an instant messenger plugin for communication during attacks.
- BitPaymer (Doppelpaymer, FriedEx): Ransomware often dropped by Dridex.
- Hades: Ransomware developed to evade sanctions, succeeding WastedLocker.
- Phoenixlocker (Phoenix): Ransomware designed to mimic another hacker group.
- SocGholish (FAKEUPDATES): A framework of social engineering toolkits using phony software updates.
- Wastedlocker: Ransomware used in multi-stage attacks with high ransom demands.
In addition to their proprietary malware, Evil Corp also uses commodity malware such as Cobalt Strike, Covenant, Donut, Koadic, Mimikatz, Powershell Empire, PowerSploit, Trickbot, Emotet, and Ryuk (through relationships with other cybercriminal groups).
