According to ThreatPost, the criminal group Evil Corp is trying to mask its latest activity by using previously unknown ransomware called PayloadBin, according to researchers. The move is believed to be an attempt to confuse law enforcement and avoid sanctions imposed by the U.S. federal government against entities it believes are linked to Evil Corp, according to published reports.

Evil Corp, widely associated with the info-stealing Dridex malware, has been the target of a crackdown by U.S. authorities since 2019. As part of that effort, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions against anyone or organization it believes has ties with the criminal enterprise. This action effectively prevents ransomware negotiation firms from facilitating ransom payments with Evil Corp, which limits its ability to profit from criminal activity.

When first discovered, researchers believed PayloadBin was related to a criminal group associated with use of malware called Babuk Locker, according to a published report. That’s because the Babuk crew recently announced it was hanging up its ransomware hat to switch to a new cybercriminal effort. Researchers then said the cybergang regrouped and introduced new tactics and branding, calling themselves “PayloadBin” at the end of May.

At the time, researchers thought that the Babuk crew might have changed its mind about foregoing ransomware, as the PayloadBin sample presented itself as ransomware that encrypted files and left a ransom note.

However, upon further inspection, researchers identified the malware as the work of Evil Corp based on previous ransomware operations of that group, according to the report, which was corroborated by security researcher Fabian Wosar on Twitter.

“Looks like EvilCorp is trying to pass off as Babuk this time,” Wosar tweeted. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations.”

The move is not the first time Evil Corp has tried to obscure its activity by changing the names of its ransomware operations. The group is originally known for distributing the Zeus malware and then the Dridex banking trojan, the latter of which allowed the group allegedly to steal millions of dollars from a combination of capturing banking credentials and then making unauthorized transfers from the compromised accounts.

The U.S. government caught wind of the group’s activities and made them a target of a major investigation in 2019, even offering up $5 million for information leading to the arrest of Evil Corp leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua” and is known for leading a lavish lifestyle. The OFAC’s sanctions were a part of this operation.

Evil Group went on a brief hiatus and then returned at the end of January 2020 using a new infostealer, the GraceWire trojan, most likely to evade the feds.

In later attacks—one against GPS tech specialist Garmin in August 2020 and one against insurance giant CNA in March of this year—Evil Corp was seen delivering ransomware with different names, again in what researchers believe was an effort to fly under the radar of federal detection.

The group employed ransomware called WastedLocker against Garmin; the company may have paid more than $10 million for the decryption key after that attack, according to reports. In the CNA incident, Evil Corp’s weapon of choice was ransomware called Phoenix Cryptolocker, which researchers identified as the work of the group because of its similarities to WastedLocker.

Now that researchers have blown the lid off the group’s connection to PayloadBin, it’s unlikely that anyone will help an organization targeted by the ransomware to negotiate payment to Evil Corp for any decryption efforts, they said.


It’s no question that threat actors are sophisticated and creative when it comes to coercing and receiving ransom payments. This is why it’s so important to have someone who can understand and properly analyze malware on your side. As mentioned above, if you’re organization rushes a ransomware payment and it ends up going to an OFAC sanctioned group, heavy fines can be issued on top of already losing profit to cybercriminals. If you feel your organization is under a ransomware attack, call our Security Operation Center as we have highly technical engineers on call 24 hours a day.

We specialize in incident response handling, but obviously, being proactive is much better than being reactive. We offer our Security Operations Center as a Service (SOCaaS) because we understand how important it is for our partners to be able to communicate with a real cyber professional on issues within their environment at any moment in the day. Security tools are all over the market and many will provide a layer of protection, but our Security Operations Center as a Service in tandem with our endpoint detection and response tool, ShadowSpear®, is the future of what cybersecurity will look like. Get ahead of threats today.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.