Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions

The hackers specifically renamed their ransomware in order to mimic the new Babuk operators’ project.

Operators of new ransomware PayloadBIN, linked to the cybercriminal group Evil Corp, are trying to avoid sanctions imposed by the Office of Foreign Assets Control of the US Treasury Department (OFAC).

Members of Evil Corp (also known as Indrik Spider and Dridex) started out as partners with the ZeuS botnet operators. Over time, Evil Corp formed its own group that focused on distributing a banking Trojan called Dridex via phishing emails. When the gangs began to move towards high-yield ransomware attacks, Evil Corp used BitPaymer ransomware, which was spread by the Dridex malware to compromised corporate networks. Following sanctions by the U.S. government in 2019, firms negotiating with ransomware operators refused to pay ransoms for Evil Corp’s attacks to avoid fines or lawsuits from the U.S. Treasury Department. WastedLocker, Hades and Phoenix to circumvent these sanctions.

Recall that at the end of April this year, Babuk operators announced the termination of their activities. However, two weeks later, the hackers made themselves felt again, presenting a new project, Payload Bin. Although hackers are no longer going to steal data and demand ransom for it, they will provide such an opportunity for other cybercriminals who do not have their own name and site of leaks.

Looks like EvilCorp is trying to pass off as Babuk this time. As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations. Sample: https://t.co/k669bbaNyV

— Fabian Wosar (@fwosar) June 5, 2021

WastedLocker -> Hades -> Phoenix -> PayloadBin, all same malware/group behind it. Probably a few in-between don't care to recall at the moment.

— Michael Gillespie (@demonslay335) June 5, 2021

BleepingComputer discovered a new ransomware sample called PayloadBIN on the VirusTotal service and initially suggested that the malware was associated with the Babuk Locker rebranding. Once installed, the ransomware adds the .PAYLOADBIN extension to encrypted files. In addition, the ransom note is called PAYLOADBIN-README.txt and informs the victim that “the networks are BLOCKED using the PAYLOADBIN ransomware.”

Babuk was alleged to have lied about its intentions to ditch the ransomware. However, after analyzing the new ransomware, experts Fabian Wosar from Emsisoft and Michael Gillespie from ID Ransomware confirmed that the program actually belongs to Evil Corp. As Vosar suggested, the hackers saw and seized the opportunity to impersonate another group that was not sanctioned.