Evil Corp is dodging sanctions by dressing up as REvil

The headquarters of the Sinclair Broadcast Group in Hunt Valley, Md. Sinclair was hit by Evil Corp ransomware in October. (Photo by Win McNamee/Getty Images)

The prolific ransomware group Evil Corp is sanctioned by the United States, creating legal and procedural barriers to pay their ransoms. Emsisoft believe the group is now identifying itself as a major competitor, REvil, to circumvent those sanctions.

Michael Gillespie, the malware analyst with Emsisoft who first noted the deceptive approach on Twitter last week, told SC Media the methodology has been identified in a single attack so far. The REvil branding was promoted at several stages of the attack: encrypted files were given the ".revil" extension, the ransomware note named "revil.readme.txt.", the ransom site had a cartoonish ninja logo reading "REvil," and the note itself mentioned being from REvil several times. ("Q: If I don't want to cooperate? A: Just google: Revil ransomware," reads the note.)

But the malware was easily attributed to Evil Corp, said Gillespie.

"I compared the code to previous (unpacked) samples of PayloadBin and Hades samples, and the code perfectly overlaps all over the place," he said, adding that the file formats, use of cryptocurrency also matched up.

Ignorance of a sanctioned group being behind a ransomware attack is not an excuse to make payments to groups on the Treasury Department's list of barred entities, known as the OFAC (Office of Foreign Assets Control) list.

Treasury sanctioned Evil Corp for ties to Russian espionage efforts.

Allan Liska, a ransomware expert with Recorded Future, said researchers had seen Evil Corp use similar tactics in the past.

"The badass logo, no. But Evil Corp pretending to be other ransomware, yes," he said.

Evil Corp has once before used an existing ransomware group for cover. In April, it played a similar trick claiming to be PayloadBin, the rebranded version of Babuk. Prior to that, Evil Corp had used several other aliases that were not established brands, including Phoenix, WastedLocker and Hades.

REvil is an extremely prominent group to mimic. The original REvil was taken offline in October by hackers believed to be international military and law enforcement. But before then, REvil had supplied the malware used in the Kaseya and JBS attacks earlier in the year. Due to increased coverage of these instances, it is a name more casual followers of cybersecurity incidents are more likely to know.

While the overwhelming consensus about Evil Corp's rapid name changes is that the group is trying to avoid sanctions, Brett Callow of Emsisoft said there might be one other explanation.

"Whether you consider this to be a play intended to confuse victims or to provide them with plausible deniability depends on your level of cynicism," he said

Color the industry cynical.

"It's likely sanctions," said Gillespie.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.