author photo
By Clare O’Gara
Sun | Jun 28, 2020 | 7:30 AM PDT

When a ransomware strain is associated with a name like Evil Corp, you know there's trouble.

Remember December of 2019? It feels like forever ago. Students were still attending physical schools, wearing a mask in public was rare, and we could hug our loved ones without fear.

Also, the U.S. Department of Justice was charging high-profile Evil Corp hackers for their crimes.

In existence since around 2007, Evil Corp—also known as the Dridex gang—gradually became one of the largest malware and spam botnets on the internet. It remained a considerable threat until 2019, when a decline in the group's BitPaymer infections and botnet activity culminated in an indictment from the DOJ.

For several months, Evil Corp went silent.

But new research from NCC Group reveals that the organization is returning. The latest variant? A ransomware strain called WastedLocker:

"The new WastedLocker ransomware appeared in May 2020. The ransomware name is derived from the filename it creates which includes an abbreviation of the victim's name and the string 'wasted.'

Evil Corp are selective in terms of the infrastructure they target when deploying their ransomware. Typically, they hit file servers, database services, virtual machines and cloud environments. This increases the time for recovery for the victim, or in some cases due to unavailability of offline or offsite backups, prevents the ability to recover at all."

That ransomware strain sounds damaging, but it also has other unique characteristics that set it apart:

"It is interesting that the group has not appeared to have engaged in extensive information stealing or threatened to publish information about victims in the way that the DoppelPaymer and many other targeted ransomware operations have. We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public."

However, Evil Corp is drawing enough attention with its new WastedLocker ransomware strain to reveal that it is back in business.

Tags: Ransomware,
Comments