A notorious Russian cybercrime group has updated its attack methods in response to sanctions that prohibit US companies from paying it a ransom, according to cybersecurity researchers.

The security firm Mandiant said on June 1 it believes that the Evil Corp gang is now using a well-known ransomware tool named Lockbit. Evil Corp has shifted to using Lockbit, a form of ransomware used by numerous cybercrime groups, rather than its own brand of malicious software to hide evidence of the gang’s involvement so that compromised organisations are more likely to pay an extortion fee, researchers said.

The US Treasury Department in 2019 sanctioned the alleged leaders of the Evil Corp gang, creating legal liabilities for American companies that knowingly send ransom funds to the hackers. While cybersecurity firms have associated Evil Corp with two kinds of malware strains, known as Dridex and Hades, the group’s use of LockBit could cause hacked organisations to believe that another hacking group, other than Evil Corp, was behind the breach.

Evil Corp is believed to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than US$100mil from companies across 40 countries, according to the US government.

Alleged members are on the wanted lists of law enforcement across the US, UK and Europe, including accused mastermind Maksim Yakubets, who the Treasury Department said previously worked for Russia’s Federal Security Service. The 35-year-old Russian man is reported to own a tiger and drive a personalised Lamborghini with a license plate that translates to say “thief”, according to the UK’s National Crime Agency.

The US has increasingly used sanctions to try to curb cybercriminal operations, including prohibiting American organisations from paying ransom fees to known groups like Evil Corp and cryptocurrency exchanges which are often used to funnel ransom payments.

Evil Corp’s alleged reliance on off-the-shelf software also suggests that sanctions may not be enough to deter the group from extorting money from businesses in the US and around the world, according to Kimberly Goody, director of cybercrime analysis at Mandiant.

“This shows us that sanctions can be effective in changing actor behaviour, such as pushing people to other services, but not always at fully curtailing operations due to the availability of cybercrime tools and services in underground communities,” she said.

A US Treasury spokesperson said it had become aware of such obfuscation attempts, adding that government officials regularly highlight to industry the importance of reporting attacks to so that law enforcement can connect the dots and try to identify the perpetrators.

Ransomware attacks typically work by infecting a target’s computer by tricking an individual to click on a malicious link while using a corporate device, which in turn infects the organisation’s network. Once hackers have access to this network or critical files and systems, they will encrypt the data, rendering it inaccessible. The targets are told they can pay a ransom, typically in cryptocurrency, to receive a decryption key and gain access to their systems.

Alphabet Inc’s Google announced in March it has agreed to purchase Mandiant for US$5.4bil .

 - Bloomberg