EvilCorp, a sanctioned Russia-based cybercriminal enterprise, has been observed collaborating with RansomHub, one of the most active ransomware-as-a-service (RaaS) operations.
This partnership has heightened the threat landscape, as both entities leverage advanced tools and techniques to target organizations across the globe.
EvilCorp: A History of Cybercrime
EvilCorp, led by Maksim Yakubets, has long been notorious for its large-scale financial cyberattacks.
.png
)
Initially known for deploying the Dridex banking trojan, the group expanded its operations to include ransomware families such as BitPaymer, WastedLocker, and PhoenixLocker.
Despite being under U.S. sanctions since 2019, EvilCorp has continued its activities by adapting its tactics and affiliating with other RaaS operations like LockBit and now RansomHub.
The group’s connections to Russian intelligence agencies further complicate enforcement efforts.
Yakubets’ father-in-law, Eduard Bendersky a former FSB officer is suspected of shielding EvilCorp from prosecution in Russia.
EvilCorp’s use of SocGholish malware (also known as FAKEUPDATES), which masquerades as legitimate browser updates to gain initial access to systems, remains a key indicator of its involvement in ransomware attacks.
RansomHub: The Rising Star in RaaS Operations
Active since February 2024, RansomHub has quickly become one of the most widespread ransomware families after absorbing affiliates from defunct operations like BlackCat/ALPHV and LockBit.
Known for its versatility, RansomHub affiliates employ diverse tools and techniques to achieve their objectives of data exfiltration and ransomware deployment.
The operation’s prominence has attracted ex-affiliates from other major ransomware groups, further consolidating its position in the cybercrime ecosystem.
Recent reports highlight RansomHub’s use of Python-based backdoors such as VIPERTUNNEL, often delivered via SocGholish infections a tactic closely associated with EvilCorp.
According to the Report, this overlap in tools and techniques underscores the growing collaboration between these two entities
The partnership between EvilCorp and RansomHub is a significant concern for cybersecurity defenders and law enforcement agencies alike.
EvilCorp’s expertise in financial cybercrime combined with RansomHub’s expansive affiliate network creates a formidable threat capable of launching sophisticated attacks on organizations worldwide.
From a legal perspective, this collaboration raises new challenges. Organizations affected by ransomware attacks linked to EvilCorp face potential fines if they pay ransoms due to U.S. sanctions imposed by the Office of Foreign Assets Control (OFAC).
With RansomHub now affiliated with EvilCorp, victims may inadvertently violate these sanctions, complicating ransomware negotiations and cyber insurance claims.
Moreover, cybersecurity analysts predict that this association could lead to increased scrutiny of RansomHub by international law enforcement agencies.
Potential sanctions or takedowns targeting RansomHub could disrupt its operations but may also prompt rebranding efforts, a common tactic among ransomware groups seeking to evade detection and maintain profitability.
The collaboration between EvilCorp and RansomHub exemplifies the evolving tactics employed by cybercriminals to maximize their impact while evading enforcement actions.
As these groups continue to adapt and innovate, cybersecurity defenders must remain vigilant in monitoring emerging threats and developing proactive strategies to mitigate risks.
Organizations are advised to strengthen their defenses against known tactics such as SocGholish malware infections and Python-based backdoors while staying informed about developments in the ransomware ecosystem.
Enhanced threat intelligence sharing among industry stakeholders will be critical in countering the growing menace posed by this partnership.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
