Ransomware, Threat Management, Threat Management, Malware

Ransomware group blurs lines between crime, state-sponsored activities, HHS alert warns

A nurse looks at her watch at the bedside of a patient
Healthcare providers should review known tactics of the exceptionally capable Evil Corp threat group. (Photo credit: "EMT/Nursing Pediatric Emergency Simulation - April 2013 18" by COD Newsroom is licensed under CC BY 2.0.)

The Department of Health and Human Services Cybersecurity Coordination Center warns “Evil Corp should be considered a significant threat to the U.S. health sector.” An HC3 alert details the ongoing risk posed by the highly capable cybercrime syndicate based out of Russia.

“It’s entirely plausible Evil Corp could be tasked with acquiring intellectual property from the U.S. health sector” using data exfiltration cyberattacks “at the behest of the Russian government,” according to the alert.

Evil Corp first emerged in 2009 and is behind the development and operations of some of the most powerful malware and ransomware variants used in the current threat landscape.

The group’s primary “exceptionally aggressive and capable” tactics include ransomware, which means the healthcare sector is among its targets given the nature of the sector’s operation and likelihood to pay some form of ransom.

The most effective variant developed by Evil Corp is Dridex: multifunctional malware and one of the most prevalent trojans. Dridex is able to impact the confidentiality and availability of operations data and systems directly related to business operations, including banking and health information.

Not only do the financially motivated actors have a substantial “in-house cyber weapon arsenal,” they use their relationships with other cybercriminal groups and the Russian government for access to other prolific malware variants, like TrickBot, Emotet and Ryuk ransomware.

All of these variants have been known to prolifically target the healthcare sector. In short, Evil Corp blurs the “proverbial lines between cybercriminals and state-sponsored activities” and is "one of the world’s most powerful criminal gangs.”

“Evil Corp has a wide set of highly capable tools at their disposal,” according to the alert. The variants are developed and maintained in-house and “often used in conjunction with commodity malware, living-off-the-land techniques and common security tools designed for legitimate and lawful security assessments.”

The actors have repeatedly modified their tactics to evade U.S. government actions to thwart them and have caused millions of dollars in damage to the U.S. Seventeen of its members were sanctioned by the Treasury Department, and two other members were indicted by the FBI.

For HC3, the concern is that foreign governments, like Russia, “often find it to be more cost effective to steal research and intellectual property via data exfiltration cyberattacks rather than invest time and money into conducting research themselves.”

These tactics make the healthcare sector a prime target, given its troves of intellectual property. In terms of targeting, Evil Corp does not discriminate: both large organizations and smaller entities are at risk, as the groups target based on opportunity. 

“The extent to which their activities are driven by both personal greed and a state political agenda gives them one of the widest array of potential motivations of all the major cyber threat actors in the world, according to the alert.

The HC3 alert provides in-depth insights into the actors themselves, known variants, tactics, and other pressing issues tied to Evil Corp. However, entities won’t find a list of “comprehensive list of defense and mitigations recommendations,” as it’s impractical given the tremendous amount of customized tactics leveraged and continually developed by Evil Corp.

Instead, HC3 is urging the sector to review past alerts on known Evil Corp variants and overall risk posed by the group, as well as sample mitigations of past attacks.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.