Russian hacking gang Evil Corp shifts its extortion strategy after sanctions

A back-lit computer keyboard.

A back-lit computer keyboard. (Chris Ratcliffe/Bloomberg)

A notorious Russian cybercrime group has updated its attack methods in response to sanctions that prohibit U.S. companies from paying it a ransom, according to cybersecurity researchers.

The security firm Mandiant said Thursday it believes that the Evil Corp gang is now using a well-known ransomware tool named Lockbit. Evil Corp has shifted to using Lockbit, a form of ransomware used by numerous cybercrime groups, rather than its own brand of malicious software to hide evidence of the gang’s involvement so that compromised organizations are more likely to pay an extortion fee, researchers said.

The U.S. Treasury Department in 2019 sanctioned the alleged leaders of the Evil Corp gang, creating legal liabilities for American companies that knowingly send ransom funds to the hackers. While cybersecurity firms have associated Evil Corp with two kinds of malware strains, known as Dridex and Hades, the group’s use of LockBit could cause hacked organizations to believe that another hacking group, other than Evil Corp, was behind the breach.

Evil Corp is believed to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than $100 million from companies across 40 countries, according to the U.S. government.

Alleged members are on the wanted lists of law enforcement across the U.S., UK and Europe, including accused mastermind Maksim Yakubets, who the Treasury Department said previously worked for Russia’s Federal Security Service. The 35-year-old Russian man is reported to own a tiger and drive a personalized Lamborghini with a license plate that translates to say “thief,” according to the U.K.’s National Crime Agency.

The U.S. has increasingly used sanctions to try to curb cybercriminal operations, including prohibiting American organizations from paying ransom fees to known groups like Evil Corp and cryptocurrency exchanges which are often used to funnel ransom payments.