TechCrunch reports that Russian hacking gang Evil Corp has begun leveraging the LockBit ransomware in its attacks as it moved to a ransomware-as-a-service operation following sanctions imposed by the U.S. Treasury's Office of Foreign Assets Control in December 2019.
Mandiant researchers discovered that UNC2165, which had significant similarities with EvilCorp including the utilization of Hades ransomware and several infrastructure overlaps has been using the LockBit RaaS to conceal its operations with other Evil Corp affiliates as it sought to bypass U.S. sanctions.
"The adoption of existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp. Its adoption could also temporarily afford the actors more time to develop completely new ransomware from scratch, limiting the ability of security researchers to easily tie it to previous Evil Corp operations," said researchers.
The findings come after an alleged attack by the dismantled REvil ransomware group against an Akamai customer, which security researchers have already dismissed as a copycat operation.
A healthcare provider can have all the elements in place, but without context, prioritization of systems, and well-practiced incident response plan, the effectiveness of well-laid processes are limited.