Evil Corp, a notorious cybercrime group behind the Dridex banking trojan, BitPaymer and WastedLocker ransomware has switched to a new tactic in order to evade sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).

In December 2019, OFAC charged two key members of Evil Corp (aka the Dridex group and Indric Spider), Maksim Yakubets and Igor Turashev, for deploying the Dridex malware (aka Bugat and Cridex), and for their involvement in international bank fraud and computer hacking schemes. The U.S. Department of State had also announced a reward of up to $5 million USD for any information leading to the capture or conviction of the group’s leader.

Following the OFAC sanctions the group temporarily ceased their operations while continuing to develop new tactics, techniques and procedures (TTPs) to evade sanctions, with the latest addition being the Hades ransomware, first spotted by researchers in December 2020.

According to the cybersecurity firm CrowdStrike, Hades is a 64-bit compiled variant of WastedLocker with additional code obfuscation and minor feature changes. This ransomware is not related to a similarly named ransomware family, Hades Locker, which first appeared in 2016.

-While Hades shares the majority of its functionality with WastedLocker, it comes with a few changes identified by CrowdStrike as follows:

-Hades is now a 64-bit compiled executable with additional code-obfuscation, likely to disguise the minimal changes, evade existing signature-based detections and hinder reverse engineering efforts.

-The majority of standard file and registry Windows API calls were replaced with their system call counterparts (i.e., the user-mode Native APIs exported from NTDLL).

-Hades employs a different User Account Control (UAC) bypass than WastedLocker; however, both implementations are taken directly from the open-source UACME project (https[:]//github[.]com/hfiref0x/UACME).

-Hades writes a single ransom note named HOW-TO-DECRYPT-[extension].txt to traversed directories, as opposed to WastedLocker’s and BitPaymer’s approach of creating a note for each encrypted file.

-Hades ransomware now stores the key information in each encrypted file rather than the ransom note. Both WastedLocker and BitPaymer stored the encoded and encrypted key information in the file-specific ransom notes.

-While Hades still copies itself to a generated subdirectory in Application Data, it no longer uses the :bin Alternate Data Stream (ADS). The use of the :bin ADS path was characteristic of both WastedLocker and BitPaymer.

“Since the OFAC sanctions and DOJ indictments against the group and its members, INDRIK SPIDER’s continued diversification has demonstrated the group’s significant resources and operational resilience. INDRIK SPIDER’s ability to adapt and overcome adversity has been illustrated in their continual advances in their campaigns, implementation of new tools, and adoption of third-party products and services. The development of their tradecraft has almost certainly been prompted by the legal action taken against them. The continued development of WastedLocker ransomware is the latest attempt by the notorious adversary to distance themselves from known tooling to aid them in bypassing the sanctions imposed upon them. The sanctions and indictments have undoubtedly significantly impacted the group and have made it difficult for INDRIK SPIDER to successfully monetize their criminal endeavors,” the researchers concluded.