Evil Corp gang starts using LockBit Ransomware to evade sanctions

Pierluigi Paganini June 07, 2022

Mandiant researchers associate multiple LockBit ransomware attacks with the notorious Evil Corp Cybercrime Group.

Mandiant researchers have investigated multiple LOCKBIT ransomware attacks that have been attributed to the financially motivated threat actor UNC2165. The researchers also noticed that the group shares numerous overlaps with the cybercrime gang Evil Corp.

The UNC2165 group has been active since at least 2019, it was mainly observed using the FAKEUPDATES infection chain (aka  UNC1543) to access the victims’ networks. Experts noticed that FAKEUPDATES was also used as the initial infection vector for DRIDEX infections that were used to deploy BITPAYMER or DOPPELPAYMER in the last stage of the attack.

Evil Corp

Previously, the UNC2165 actors also deployed the HADES ransomware.

“Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using exclusive ransomware variants to LOCKBIT—a well-known ransomware as a service (RaaS)—in their operations, likely to hinder attribution efforts in order to evade sanctions.” reads the analysis published by Mandiant.

Evil Corp has likely started using LockBit ransomware in an attempt to elude sanctions imposed by the U.S. Treasury in December 2019.

The researchers also noticed UNC2165 overlaps with a cluster of activity tracked as “SilverFish” by security firm ProDaft. The data reported in ProDaft’s report confirms that the analyzed malware administration panel was used to manage FAKEUPDATES infections and to distribute secondary payloads, including BEACON. Mandiant attributed this activity to UNC2165 based on malware payloads and other technical artifacts discovered by ProDaft.

The analysis published by Mandiant provided details about each phase of the attack lifecycle associated with the threat actors. Once gained initial access to the target network, the attackers conducted a series of actions such as privilege escalation, internal reconnaissance, lateral movement, and maintaining persistence, aimed at deploying the final ransomware.

“The adoption of an existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp. Both the prominence of LOCKBIT in recent years and its successful use by several different threat clusters likely made the ransomware an attractive choice. Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware.” concludes the report. “It is plausible that the actors behind UNC2165 operations will continue to take additional steps to distance themselves from the Evil Corp name. “

The report also includes MITRE ATT&CK Mapping, YARA Rules for the LockBit ransomware

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 


Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Evil Corp)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment