Evil Corp, previously known as Dridex trojan creators, returned to the field with a virus after members got charged
The cybercrime group that got charged by the US government back in December[1] released the new strain of ransomware.[2] In the recent security report,[3] it was stated about the threat that demands ransoms of at least half of a million dollars. At least a dozen victims have been targeted by the threat. It is not specified how many ransoms got paid.
This new ransomware dubbed WastedLocker was found back in May, and the name derived from the file name that the virus creates. The first sample came with the ransom note that included the names of the victim and Protonmail and Tutanota platform-based email addresses that are commonly used by many ransomware creators. Later versions had different emails and Eclipso, Airmail email platform accounts.
Recently Evil Corp changes some elements of their tactics, but this WastedLocker only encrypts data and is not coded to filtrate any of it. According to experts, this feature may be included on purpose:
We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public.
Ransomware functionality with a code reuse
Security experts say that analysis revealed features common with BitPaymer ransomware.[4] They claim that code was reused and that other similarities like victims’ name usage and ransom note text may indicate the relation between the two cryptomalware versions.
Security experts tracked the activities of the malicious actors and the use of this threat since the firs occurrence in May 2020. It revealed that this ransomware is distributed across the United States and is targeting companies mainly. Additional findings reveal that demands even go up to $10 million. However, there is no information about particular victims who paid the demanded ransom even though these criminals are extremely aggressive with the spreading of the threat.
Typically, they hit file servers, database services, virtual machines, and cloud environments. We’ve seen demands of more than $10 million.
The ransomware is using the AES encryption algorithm[5] and generated a new key for each affected file, so the attacker also creates the file for every encoded file that contains the ransom note. All the affected data gets .wasted appendix. The decryption code was found, but it is not accessible without administrative privileges.
Additional Evil Corp campaigns and history
Evil Corp group has been known since 2007 what actors started to release their own malware after helping with ZeuS banking trojan. Campaigns started with the distribution of Cirdex banking malware that later evolved into Dridex trojan. From there, creators used the code of Dridex to generate multi-purpose malware. These operations became one of the most dangerous and widely-spread malware distribution campaigns.
In 2016 the group was involved in spreading Locky ransomware. They have adapted the malware to target more popular victims like companies and businesses when the world of ransomware changed these tactics. The upper mentioned BitPayper ransomware was created after dropping the Locky. The Dridex malware was still used to look for corporate networks and enterprises that BitPaymer could target later on.
The Evil Corp group members, including one of the masters, got charged in December 2019. After that malware creators got silent, and activities were not renewed until late January 2020. At the time, according to experts actors only helped with other malware campaigns. A few months were again silent for the group when they stopped actively working in March.