The Russia-based cybercriminal group Evil Corp (aka the Dridex group and Indric Spider) has switched to a ransomware-as-a-service model in an effort to dodge sanctions imposed by the US government in 2019 that prohibit American companies from paying the group ransom.

Evil Corp is believed to be the mastermind behind the Dridex banking trojan, BitPaymer and WastedLocker ransomware. Evil Corp is thought to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than $100 million from organizations across 40 countries.

In December 2019, the US Treasury Department’s Office of Foreign Assets Control (OFAC) charged two key members of Evil Corp, Maksim Yakubets and Igor Turashev, for deploying the Dridex malware (aka Bugat and Cridex), and for their involvement in international bank fraud and computer hacking schemes. The US Department of State had also announced a reward of up to $5 million for any information leading to the capture or conviction of the group’s leader.

Since the sanctions hit, Evil Corp used various ransomware variants. In June 2020, the group switched to a new ransomware strain, WastedLocker, in order to skirt sanctions, and in 2021 it once again attempted to evade sanctions by shifting to a new WastedLocker variant dubbed ‘Hades.’ The gang also used other ransomware variants such as Macaw Locker and Phoenix CryptoLocker.

Now, according to Mandiant, Evil Corp has started using Lockbit, a well-known ransomware as a service (RaaS), rather than its own brand of malware to hide evidence of the gang’s involvement so that compromised organizations are more likely to pay a ransom.

“Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using exclusive ransomware variants to LockBit in their operations, likely to hinder attribution efforts in order to evade sanctions,” the company said in a report.

“The adoption of existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp. Its adoption could also temporarily afford the actors more time to develop completely new ransomware from scratch, limiting the ability of security researchers to easily tie it to previous Evil Corp operations.”