The prolific Russian cybercriminal group Evil Corp has started using a new ransomware variant named Macaw Locker. The latest attack was conducted on the U.S. telecommunications conglomerate Sinclair Broadcast Group. Sinclair Broadcast Group is the second largest TV station operator in the United States and owns and operates 185 TV stations and 620 channels.
The attack caused disruption to IT systems, with the technical difficulties experienced resulting in the cancellation of some broadcasts and presenters had to resort to paperwork rather than computer screens. Prior to the attack on Sinclair Broadcast Group, Evil Corp conducted a Macaw Locker ransomware attack on the technology firm Olympus. According to Bleeping Computer, the ransom demands in those two attacks were $28 million and $40 million.
Evil Corp (Indrik Spider/Dridex) is behind the banking Trojans Dridex and Bugat, which have been used in cyberattacks on hundreds of banks around the world and are mainly distributed in phishing emails. In late 2019, the U.S. government indicted the group’s leader, Maksim V. Yakubets, who is believed to head a team of at least 16 individuals and has used the malware variants in numerous attacks in the United States. The gang is believed to have stolen in excess of $100 million from U.S. businesses and consumers. The U.S. Treasury Department believes Evil Corp has strong links with Russian intelligence, with Yakubets thought to have been working with the Russian FSB, one of its leading intelligence agencies, since 2017.
When it comes to recovering from Evil Corp ransomware attacks, victims have the additional problem of not being able to pay the ransom without facing sanctions from the U.S. Treasury Department, since payments to Evil Corp have been illegal since December 2019.
In an effort to get around the sanctions, the group regularly changes its malware tools. Evil Corp was behind the WastedLocker, Hades, Phenoix Cryptolocker, PayloadBin, and BitPaymer ransomware strains, and is suspected of being behind the DoppelPaymer (Grief) ransomware variants. The group regularly changes its ransomware to escape U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctions. Ransomware remediation firms will not negotiate payments in any attacks involving Evil Corp ransomware variants after Evil Corp was added to the OFAC Specially Designated Nationals (SDN) list.
The change to Macaw ransomware is yet another move to trick U.S. ransomware victims into paying the ransom, but now Macaw Locker ransomware has been tied to the group, attacks on U.S. firms are unlikely to see ransom payments made. That means Evil Corp will likely have to rebrand once again.