By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

The Evil Corp group, also known as the Dridex gang, has been active since 2007 when several members previously involved with the ZeuS banking trojan decided to try their own luck at distributing malware. Ther initial efforts were focused on distributing the Cridex banking trojan, a malware strain that later evolved into the Dridex banking trojan, and later subsequently evolved into the Dridex multi-purpose malware toolkit. Across the years, Evil Corp, through its Dridex operation became one of the largest malware and spam botnets on the internet. The group distributed their own malware, but also malware for other criminal groups, along with custom spam messaging. The group dipped their toes into ransomware distribution by spreading the Locky ransomware to home consumers throughout 2016. As the ransomware market began shifting targeting from home consumers to enterprise targets, the Evil Corp gang adapted as well, and after dropping the Locky strain for good, they created new custom ransomware named BitPaymer. The group used their vast botnet of computers infected with the Dridex malware to look for corporate networks and then deploy BitPaymer on the largest enterprise targets they could identify. The group operated BitPaymer between 2017 and 2019 when new infections started dropping off. The reasons are unclear, but the slowdown in BitPaymer infections may have also had something to do with the Dridex botnet slowing down its activity between 2017 and 2019. Fox-IT says that this slowdown culminated with the DOJ charges filed in December 2019. Following the high-profile indictments, the group went silent for a full month until January 2020. According to Fox-IT, the group came back to life in January and spurted a few malware campaigns, usually for other crooks, until March, when they again went silent. However, when the group returned to life for the second time in 2020, they did so with new tools. Fox-IT says the group created a new ransomware strain to replace the aging BitPaymer variant that they've been using since early 2017. The actual reasons for replacing BitPaymer are shrouded in mystery; however, Fox-IT, says this replacement appears to be a totally new ransomware strain, written from scratch. Fox-IT says it named this new ransomware WastedLocker based on the file extension it adds to encrypted files, usually consisting of the victim's name and the string "wasted." Security researchers say that an analysis of this new ransomware has revealed little code reuse or code similarities between BitPaymer and WastedLocker; however, some similarities still remain in the ransom note text. In an interview with ZDNet earlier today, Fox-IT says they've been tracking the use of this new ransomware family since May 2020. They say the ransomware has been exclusively deployed against US companies. "Ransom demands that are asked by Evil Corp are now typically into the millions," Maarten van Dantzig, Fox-IT security researcher, told ZDNet today. Want to know more please visit OUR FORUM.