U.S. Treasury Department Applies Sanctions to Russian-Based Cybercriminal Group, Evil Corp
Early in December, the United States Treasury Department Office of Foreign Assets Control (OFAC) released new sanctions against the Russian cyber criminal gang Evil Corp that is responsible for the Dridex malware.
Who is Evil Corp?
The detailed report from the U.S. Treasury Department delivers sanctions around the cybercriminal gang Evil Corp and it’s members. Operating as a business structure out of Moscow, Russia, the group has successfully accumulated at least $100 million through illicit cyber activities and extortion campaigns. Their leader, Maksim “Aqua” Yakubets has been added to the FBI Most Wanted list alongside various charges including conspiracy, conspiracy to commit fraud, wire fraud, bank fraud, and intentional damage to a computer. Yakubets was also charged in connection with ‘Zeus’ malware that affected tens of thousands of computers and networks in the United States.
Sanctions against Evil Corp
On December 5th, 2019, as a result of the findings around Dridex and Evil Corp, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) is officially taking action against the cyber gang and their illicit activities. The sanctions are the result of a coordinated investigation with the United Kingdom’s National Crime Agency (NCA), the Treasury Department Financial Crimes Enforcement Network (FinCEN), and the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
Also charged in connection with Evil Corp is Denis Gusev, a senior member of the cyber gang. Since 2017, investigations have revealed that Gusev assisted Evil Corp by securing office space and business connections for the organization. Several Russian business entities are associated with this criminal activity, including Biznes-Stolitsa, OOO; Optima, OOO; Treid-Invest, OOO; TSAO, OOO; Vertikal, OOO; and Yunikom, OOO. Additionally, other Russian citizens linked to Evil Corp were designated under U.S. Treasury Department Executive Order 13694, which targets "significant malicious cyber-enabled activities."
Dridex malware
Having first appeared in 2012, Dridex is the name of the malware used by Evil Corp to harvest credentials, data, and perform surveillance on a victim’s computer and network system. The CISA Alert (AA19-339A) indicates that this malware is often used as a tool to leverage criminal activity for use against the banking and financial industries. In a report from the U.S. Department of the Treasury, Evil Corp has targeted nearly 300 financial institutions and banks in over 40 countries around the world. Many of their victims are banks located within the United States and the United Kingdom.
How it works
Since its beginning in 2012, the cybersecurity community has seen many different variants and implementations of the Dridex malware and its ability to adapt to new browser patchwork over the years. The malware relies on unsuspecting users to load an entire module that hosts a folder of exploitation and executable software. Dridex also heavily exploits the CVE-2017-0199 vulnerability, which allows remote code execution in Microsoft WordPad and Office.
How is it distributed?
A large part of the Dridex malware’s success can be attributed to Evil Corp’s ability to build large-scale phishing campaigns. Using better syntax and research of victims, the cyber criminal gang is able to craft more convincing email campaigns that are sent to victims. Evil Corp members have been found to “employ a combination of legitimate business names and domains, professional terminology, and language implying urgency to persuade victims to activate open attachments”, according to the US Cybersecurity Infrastructure Agency.
Ransomware operators
Dridex has gone through several modifications, in which the malware variant is adapted to focus on encryption-based cyber crimes such as ransomware. Security researchers have found similarities between Dridex and BitPaymer (Friedex), as both use the same code structure and deployment methods. The United States’ Cybersecurity and Infrastructure Security Agency also revealed similarities between Locky ransomware and its variants Zepto and Osiris. These ransomware variants are loaded using the same vulnerabilities exploited alongside Dridex.
How to protect your data from malware
After learning how malware can impact your organization, we recommend taking proactive steps to ensure you’re protected:
Train your employees
Malware such as Dridex and BitPaymer enters the network most commonly through large phishing email campaigns. These campaigns rely on unsuspecting employees to click links and/or download unauthorized executables. Having regular training sessions on cybersecurity and malware/ransomware can encourage employees to look more closely at the data they send and receive, greatly reducing the risk of a cyber attack.
Keep software/hardware updated
Dridex thrives when businesses forget to update their software and hardware configurations across the network. The malware exploits vulnerabilities in patchwork to gain privileges and features that are later closed in subsequent manufacturer updates. For example, Dridex was able to execute a “loader” module on victims’ computers that used an older version of Microsoft Office and WordPad. The patch to close this vulnerability was released in 2017, and these updates should be mandated through procedures that keep all software and hardware up to date with the latest updated patch.
Track privileges and user activity
Cybercriminals thrive in network environments that have little to no privileged access management (PAM). It’s recommended to keep a log of which users have elevated access to change network and administrative settings. Threat actors often target users with higher levels of access to change permission settings and gain greater control over the business. Organizations can also follow the National Security Agency’s ‘Top Ten Cybersecurity Mitigation Strategies’, which outlines actions businesses can take to prevent becoming a victim of a cybercrime.
Reporting cybercrime
Authorities are able to apply these sanctions due to collective data and reports on cybercrime across the nation and the world. Reporting a cybercrime can help law enforcement track down and detect cybercriminal activity, giving the public a better advantage in understanding these cyber gangs and illicit activity.
If you are a victim of a cybercrime, reporting ransomware to authorities is of the utmost importance. We have provided a global reference for where to report these cybercrimes based on your location.
Through collaboration among local, state, federal, and global cybercrime agencies, these legal developments and sanctions have sent a strong message about the consequences of cyber-related criminal activity and extortion worldwide. However, this also presents a positive opportunity for businesses to be proactive in their cybersecurity defenses and take these cyber threats seriously.
