Evil Corp, a notorious group of hackers based in Russia, has reportedly changed its strategy to avoid the ransomware sanctions that the United States placed on them.

According to Virginia-based cybersecurity firm Mandiant, the Russian cybercriminals are now using a ransomware-as-a-service model to carry out their operations.

Russian Hackers on the Rise

(Photo : Florian Olivo from Unsplash)
American cybersecurity firm Mandiant has discovered that a group of Russian hackers has changed their recent tactic into a different model.

The infamous hacking squad became popular with the public when it caught the attention of the American authorities. 

Back in December 2019, the US Treasury's Office of Foreign Assets Control (OFAC) punished the group for stealing millions of dollars from several banks. At the time, the hackers deployed the Dridex malware in the systems.

Just recently, Mandiant found out that the unknown group was operating under UNC2165. At first, the cybersecurity researchers tracked it as "uncategorized," only to discover it was linked to the Evil Corp.

According to Techcrunch, Mandiant has been on the lookout for UNC2165 for three years ago. The firm was eagle-eyed to notice that the threat actors were working on the "FakeUpdates" chain.

Here, the hackers try to deceive their potential victims by opening a makeshift browser update. Later, Mandiant concluded that it was the same vector that the attackers used with Dridex ransomware.

Related Article: US Warns of Russian State-Sponsored Hackers Using Exploits of 'PrintNightMare,' MFA Defaults

Evil Corp Ransomware Operations

Moreover, the same Russian cybercriminals were also responsible for the deployment of the WastedLocker and BitPaymer ransomware.

Additionally, Evil Corp was also known to utilize the Hades ransomware. As Mandiant continued its research, it noticed that the infrastructure was closely connected to the Russian hackers with the help of some security vendors.

Mandiant was keen that the cybercriminals could incorporate themselves with other groups. To dodge the potential punishment that awaits them, the group quickly changed its tactic into a ransomware-as-a-service model.

Under this strategy, Evil Corp can easily execute its hacking plans without getting detected since it would protect their identities.

"The adoption of existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp. Its adoption could also temporarily afford the actors more time to develop completely new ransomware from scratch, limiting the ability of security researchers to easily tie it to previous Evil Corp operations," Mandiant said.

Following this finding, another Russian group called REvil has recently admitted their involvement in the latest DoS campaign. The hacking incident has hit Akamai, a known cloud service provider based in Massachusetts.

Although the hackers had already taken responsibility for the incident, the researchers believed that it was just a cover-up mission of the cybercriminals.

A week ago, Reuters reported that a circle of Russian hackers had leaked the Brexit plans on the website.

A cybersecurity official from Google said that there were some leaked emails posted on the "Very English Coop d'Etat'' website. The report also added that the emails came from pro-Brexit supporters such as Robert Tombs and Richard Dearlove.

Read Also: Turla Android Spyware From Russia Can Access Your Device's Location, Record Audio, and More | Beware of This Malware

This article is owned by Tech Times

Written by Joseph Henry