NEW YORK (BLOOMBERG) - A notorious Russian cyber-crime group has updated its attack methods in response to sanctions that prohibit United States companies from paying it a ransom, according to cyber-security researchers.
The security firm Mandiant said Thursday (June 2) it believes that the Evil Corp gang is now using a well-known ransomware tool named Lockbit.
Evil Corp has shifted to using Lockbit, a form of ransomware used by numerous cyber-crime groups, rather than its own brand of malicious software to hide evidence of the gang's involvement so that compromised organisations are more likely to pay an extortion fee, researchers said.
The US Treasury Department in 2019 sanctioned the alleged leaders of the Evil Corp gang, creating legal liabilities for American companies that knowingly send ransom funds to the hackers. While cyber-security firms have associated Evil Corp with two kinds of malware strains, known as Dridex and Hades, the group's use of LockBit could cause hacked organisations to believe that another hacking group, other than Evil Corp, was behind the breach.
Evil Corp is believed to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than US$100 million (S$137 million) from companies across 40 countries, according to the US government. Alleged members are on the wanted lists of law enforcement across the US, United Kingdom and Europe, including accused mastermind Maksim Yakubets, who the Treasury Department said previously worked for Russia's Federal Security Service.
The 35-year-old Russian man is reported to own a tiger and drive a personalised Lamborghini with a licence plate that translates to say "thief", according to the UK's National Crime Agency.
The US has increasingly used sanctions to try to curb cyber-criminal operations, including prohibiting American organisations from paying ransom fees to known groups like Evil Corp and cryptocurrency exchanges which are often used to funnel ransom payments.
Evil Corp's alleged reliance on off-the-shelf software also suggests that sanctions may not be enough to deter the group from extorting money from businesses in the US and around the world, according to Ms Kimberly Goody, director of cyber-crime analysis at Mandiant.
"This shows us that sanctions can be effective in changing actor behaviour, such as pushing people to other services, but not always at fully curtailing operations due to the availability of cyber-crime tools and services in underground communities," she said.
A Treasury spokesman said it had become aware of such obfuscation attempts, adding that government officials regularly highlight to industry the importance of reporting attacks so that law enforcement can connect the dots and try to identify the perpetrators.
Ransomware attacks typically work by infecting a target's computer by tricking an individual to click on a malicious link while using a corporate device, which in turn infects the organisation's network.
Once hackers have access to this network or critical files and systems, they will encrypt the data, rendering it inaccessible. The targets are told they can pay a ransom, typically in cryptocurrency, to receive a decryption key and gain access to their systems.
Alphabet's Google announced in March it has agreed to purchase Mandiant for US$5.4 billion.
