Threat actors behind a notorious Russian cybercrime group appear to have rebranded their ransomware once again in a bid to escape US sanctions prohibiting victims from paying them.
Experts took to Twitter to point out that a leak site previously run by the Babuk group, which famously attacked Washington DC’s Metropolitan Police Department (MPD), had rebranded to “PayloadBin.” The Babuk group claimed that it was shutting down its affiliate model for encrypting victims and moving to a new model back in April.
A ‘new’ ransomware variant with the same name has also been doing the rounds of late, but according to CTO of Emsisoft, Fabian Wosar, it’s nothing more than a copycat effort by Evil Corp.
“Looks like EvilCorp is trying to pass off as Babuk this time. As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations,” he said.
If that’s correct, it would appear to be the latest in a long line of rebranding by the group from its original BitPaymer effort in a bid to circumvent US sanctions.
Michael Gillespie, the creator of the ID Ransomware service, explained that aside from WastedLocker, the group has used “Hades” and “Phoenix” as new names for the same malware.
Wosar said it was easy to identify the same underlying code in all of those ‘variants.’
“EvilCorp malware sticks out like a sore thumb simply because of the obfuscator they use,” he tweeted. “But the cryptographic scheme is identical, encrypted file format is identical, MO is identical, configuration format is identical, the list goes on and on.”
The group was placed on the US Treasury’s Office of Foreign Assets Control (OFAC) sanctions list in December 2019 after being accused of using the Dridex banking Trojan to steal over $100 million globally.
That meant corporate victims were effectively prohibited from paying the group a ransom or risk themselves being accused of breaking sanctions.
Mitch Mellard, a threat intelligence analyst at Talion, argued that rebranding could be widespread in the underground economy.
“I feel that this situation is somewhat of an indictment of ransomware insurance as a whole. We have reached the point where instead of blanket condemnation of paying ransoms across the board, two lists of criminals have been created,” he added.
“The first list is comprised of actors who have achieved such renown that paying them is actually treated as ... paying criminals. The second list is, by nature of its contents, also entirely criminals, but those who it is somehow acceptable to reward monetarily for their illegal activities.”