[ad_1]
Evil Corp has launched a brand new ransomware known as Macaw Locker to evade US sanctions that forestall victims from making ransom funds.
The Evil Corp hacking group, additionally recognized Indrik Spider and the Dridex gang, has been concerned in cybercrime actions since 2007, however principally as associates to different organizations.
Over time, the group started specializing in their very own assaults by creating and distributing a banking trojan referred to as Dridex in phishing assaults.
Shifting to ransomware
As ransomware assaults turned more and more extra worthwhile, Evil Corp launched an operation known as BitPaymer, delivered through the Dridex malware to compromised company networks.
The hacking group’s legal exercise finally led them to be sanctioned by the US authorities in 2019.
Attributable to these sanctions, ransomware negotiation companies will now not facilitate ransom funds for operations attributed to Evil Corp.
To bypass US sanctions, Evil Corp started creating restricted use ransomware operations underneath numerous names similar to WastedLocker, Hades, Phenoix Locker, and PayloadBin.
Evil Corp started renaming their ransomware operations to completely different names similar to WastedLocker, Hades, Phoenix CryptoLocker, and PayLoadBin.
Different ransomware households which might be believed however not confirmed to be affiliated with Evil Corp is DoppelPaymer, which was just lately rebranded as Grief.
Introducing Macaw Locker
This month, Olympus and Sinclair Broadcast Group had their operations severely disrupted by weekend ransomware assaults.
For Sinclair, it induced TV broadcasts to be cancelled, completely different exhibits to air, and newscasters to report their tales with whiteboards and paper.
Nonetheless coping with technical difficulties at @CBS6Albany …. Our 11pm newscast (which is beginning late after soccer) can be unconventional. We’re working with handwritten notes, and it’s going to be a bit extra conversational. Tune in, and thanks for bearing with us! pic.twitter.com/D620UCD72F
— Leanne DeRosa (@CBS6Leanne) October 18, 2021
This week, it was found that each assaults have been carried out by a brand new ransomware referred to as Macaw Locker.
In a dialog with Emsisoft CTO Fabian Wosar, BleepingComputer was informed that, based mostly on code evaluation, MacawLocker is the most recent rebrand of Evil Corp’s ransomware household.
BleepingComputer has additionally realized from sources within the cybersecurity business that the one two recognized Macaw Locker victims are Sinclair and Olympus.
Sources additionally shared the non-public Macaw Locker sufferer pages for 2 assaults, the place the risk actors demand a 450 bitcoin ransom, or $28 million, for one assault and $40 million for the opposite sufferer.
It’s unknown what firm is related to every ransom demand.
The Macaw Locker ransomware will encrypt victims’ recordsdata and append the .macaw extension to the file identify when conducting assaults.
Whereas encrypting recordsdata, the ransomware will even create ransom notes in every folder named macaw_recover.txt. For every assault, the ransom observe comprises a singular sufferer negotiation web page on the Macaw Locker’s Tor website and an related decryption ID, or marketing campaign ID, as proven beneath.
Macaw Locker ransom observe
The gang’s darkish net negotiation website comprises a short introduction to what occurred to the sufferer, a software to decrypt three recordsdata totally free, and a chatbox to barter with the attackers.
Macaw Locker Tor fee negotiation website
Now that Macaw Locker has been uncovered as an Evil Corp variant, we’ll probably see the risk actors rebrand their ransomware once more.
This fixed cat-and-mouse sport will probably by no means finish till Evil Corp stops performing ransomware assaults or sanctions are lifted.
Nevertheless, neither of these eventualities is more likely to happen within the quick future.
[ad_2]