The cybercriminal group is distancing itself from its previous branding by shifting tactics and tools once again in an aim to continue to profit from its nefarious activity.
Evil Corp has shifted tactics once again, this time pivoting to LockBit ransomware after U.S. sanctions have made it difficult for the cybercriminal group to reap financial gain from its activity, researchers have found.
Researchers from Mandiant Intelligence have been tracking a “financially motivated threat cluster” they’re calling UNC2165 that has numerous overlaps with Evil Corp and is highly likely the latest incarnation of the group.
UNC2165 is using a combination of the FakeUpdates infection chain to gain access to target networks followed by the LockBit ransomware, researchers wrote in a report published Thursday. The activity appears to represent “another evolution in Evil Corp affiliated actors’ operations,” they wrote.
“Numerous reports have highlighted the progression of linked activity including development of new ransomware families and a reduced reliance on Dridex to enable intrusions,” researchers wrote. “Despite these apparent efforts to obscure attribution, UNC2165 has notable similarities to operations publicly attributed to Evil Corp.”
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Evil Corp