New Leader Named in Evil Corp
Blog DomainTools Research

Hostile Takeover: A History of Evil Corp after a Leader is named by Law Enforcement

10/01/2024
Share this entry
DomainTools Favicon
DomainTools Research @SecuritySnacks

tl;dr

The threat group known as Evil Corp has shown they have resilience as they continue to iterate and regroup in an effort to evade sanctions. Today, the National Crime Agency (NCA) named another member of the infamous group, Alexsandr Rhyzenkov, has been named as the leader’s right hand man. 

In addition to this news, we’re also sharing domains associated with Evil Corp over the past several years in the hope that the community can better understand their infrastructure and prevent future attacks.

History of Evil Corp – How Did We Get Here?

Evil Corp (not to be confused with E Corp from Mr. Robot) is a prolific and dangerous cybercrime group hailing from Russia. Their primary claim to fame is the development and distribution of Dridex malware (also known as ‘Bugat’), which was designed to steal confidential information, such as banking credentials along with personally identifiable information (PII). 

The group has been active for over a decade and has harvested banking credentials from over 300 banks and financial institutions in over 40 countries, though as of late, they primarily target the United States and United Kingdom. 

The leader of the gang, Maksim “Aqua” Yakbets, was an early adopter in terms of moving Evil Corp to an affiliate model, selling access to Dridex malware to other malicious actors, allowing Evil Corp to pocket a percentage of the additional revenues. 

While Russia initially provided some assistance to the United States regarding the whereabouts of Yakubets, they ceased participation in the investigation, spurring rumors that Yakubets is working for the Federal Security Service of the Russian Federation (FSB). Given Yakubets’ father-in-law is an ex-FSB officer, these claims have some merit. Additionally, it is reported that several of Evil Corps’ members are related to high-ranking Russian officials. A report from the NCA, FBI, and AFP sheds further light on the connections and collaboration that Evil Corp has historically had with the Russian government, including the personal ties between Evil Corp members and campaigns undertaken on behalf of their security services. 

In 2019, the US Treasury Department issued sanctions against Yakubets and his associates; should any of the listed individuals leave Russia, they ought to be arrested. The bounty placed on Yakubets’ head is $5,000,000. 

Evil Corp Timeline of Events

Here’s what Evil Corp has been up to in the last five years:

2019US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctions Evil Corp
2020Evil Corp disappears temporarily and reappears in January 2020

BitPaymer once again observed being used in Big Game Hunting (BGH) operation against a victim conglomerate spanning multiple verticals

This BitPaymer operation was one of the first examples of Evil Corp using a variant of Gozi ISFB as part of their toolset instead of their Dridex banking trojan

Evil Corp increased efforts to move away from their existing tools and introduced WastedLocker – the successor to their BitPaymer ransomware

The group began using fake browser updates to deliver the Cobalt Strike red-teaming tool. Once control over the enterprise environment was established, WastedLocker would be executed in their BGH campaigns

Hades ransomware is the successor to WastedLocker, according to Crowdstrike Intelligence. Use of Hades ransomware comes with another change in tactics: departure from using email communication and the possibility of exfiltrating data from victims to elicit payments. Hades ransom note directs victims to a Tor hidden site, unique for each victim and states data has been exfiltrated from their network 
2021During 2021, the group leveraged publicly available loaders, including DONUT, to deploy BEACON payloads; however, intrusions observed since late 2021 have used the COLORFAKE (aka Blister) dropper

Cypherpunk variant (SentinelOne assesses this finding as an indication that Evil Corp is still working on updating their tradecraft to change their signature and stay under the radar)

Another rebrand with the emergence of Macaw Locker, a new strain researchers were once again able to trace to Evil Corp actors
2022
UNC2165 is the name given to the threat group believed to have emerged from Evil Corp

Research identifies UNC2165 using Lockbit’s ransomware

Switch to ransomware-as-a-service (RaaS) in an effort to obscure signals of their attacks

Lockbit claimed it hacked Mandiant in retribution for releasing their report on Evil Corp using Lockbit ransomware (though when they published the files, the data didn’t come from Mandiant)

TWIST: threat actors behind Lockbit RaaS operation distanced themselves from Evil Corp in a PR stunt

The public profile of Evil Corp is such that other cybercrime gangs don’t want to be seen having any association with it
2024In June 2024, Intel471 uses MITRE ATT&CK and Splunk to create an investigation looking at Evil Corp – they share their findings that don’t necessarily mean the activity found is malicious – shared as a way for other investigators to take the next step

While the members of Evil Corp and their activities predate 2019, going back to 2007 and the formation of what was known as The Business Club, the group started to adopt the Evil Corp identity in 2013, registering the domain ev17corp[.]biz on February 15th, 2013. Since the launch of Dridex in 2014, their activities have been consolidated under the new moniker. It was a few years later that Evil Corp began deploying ransomware via their botnet; first using Bitpaymer and later developing and deploying DoppelPaymer in their ransomware attacks. Around the same time, Evil Corp actors Yakubets and Alexsandr Ryzhenkov began the development of what would ultimately become the ransomware known as WastedLocker.

In 2019, law enforcement actions and imposed sanctions prohibited ransom payments to Evil Corp. The group retaliated by obfuscating their activities in the hope of continuing their operations. This included a shift away from the Dridex botnet in favor of SocGholish as an initial access tool. Later it was followed by the development and adaptation of numerous ransomware strains including Hades, Phoenix Locker, PayloadBIN and Macaw to try and further evade sanctions. In June of 2022, Mandiant reported on a tie between Evil Corp and Lockbit as further evidence of their efforts to continue operations and facilitate ransomware payments to the group. In the report by the NCA and law enforcement partners, it is also stated that Ryzhenkov, identified as “Yakubets’ right hand man,” is a Lockbit affiliate and has been tied to numerous Lockbit attacks. 

Beyond the individual actors that have been historically associated with Evil Corp, and reiteration of Yakubets’ role in the organization, the identification of Alexsandr Ryzhenkov is notable, and we believe has not been previously disclosed. Given his reported involvement in the development of Dridex and subsequent ransomware variants, this would surely warrant the same treatment as other cybercriminals who have recently been indicted, including actors associated with Trickbot.

This report by law enforcement is an important reminder of the threat these groups pose and the efforts they undertake to continue their malicious activity. While Evil Corp has long been a known actor group, their continued recidivism and history of adapting their tactics, techniques, and procedures (TTPs) makes them a relevant and persisting threat. Sharing information about their activities and TTPs is important in the collective effort to defend against them. 

To those ends, we have included a list of domains associated with Evil Corp over the past few years. While it is not exhaustive, it hopefully provides an illustration of the scale at which many of these groups operate and the use of domains in their C2 infrastructure.

A reminder about the importance of DNS and Domain Intelligence

Utilizing DNS and domain intelligence can be powerful in the fight against cybercrime groups like Evil Corp:

  • De-anonymizing Malicious Actors: Tracking domains used by ransomware threat actors can reveal potential patterns, making them easier to identify

  • Early Detection: By actively monitoring DNS logs, your security team can block malicious domains, preventing employees from receiving phishing emails that could lead to downloadable payloads. Additionally, this means you can block suspicious domains before phishing emails are sent, ensuring employees don’t have the opportunity to interact with them or download malicious payloads

  • Incident Response: In the event a ransomware attack does take place, monitoring DNS logs helps trace the origin of the attack and understand its spread in the network, making an effective response and recovery
Visit GitHub for List of Domains and IOCs

Related Content
Blog

The Most Prolific Ransomware Families: 2023 Edition

Read more

Related Content

A digital landscape illustration depicting a dynamic network of interconnected lines and points, reminiscent of USPS smishing attacks. The grid-like structure features various peaks and valleys, illuminated by glowing red and white dots against a shadowy backdrop.
Blog

How Domain Intelligence and Passive DNS Create A Fuller Domain Profile

Read more
New Developments in USPS Smishing Attacks
Blog

Phishmas Comes Early: New Developments in USPS Smishing Attacks

Read more
Blog

Post Quantum Cryptography (PQC): You May Already Be Using It!

Read more
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2024 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap