Evil Corp, a threat group that has been around since 2007, has a track record of switching tactics and tools. The group was known for pushing the Dridex malware and later switching to the ransomware business. They started with Locky ransomware and then deployed their own strain known as BitPaymer up until 2019. When the U.S. sanctioned the group in December 2019 for using Dridex, they switched to WastedLocker and then Hades ransomware. From there, the group impersonated the PayloadBin Hacking Group and used the Macaw Locker and Phoenix CyrptoLocker to infect victims. According to Mandiant, the group has now made another switch and has begun deploying ransomware as a LockBit affiliate. This move occurred after more sanctions from the U.S. and allows the group to blend in with other groups.
The switch to become an affiliate of LockBit is likely to allow the group to blend in with other attacks while the U.S. sanctions continue to target them and other ransomware operators. It is also assumed that Lockbit is more cost-effective for the group as they do not have to cover all of the development costs. They may also be using this time to stay semi-hidden as they develop their own new strain of ransomware. As the U.S. continues to apply sanctions to ransomware operators, the groups will keep finding ways around them or ways to hide from them. Groups like this are expected to keep using obscure methods to hide themselves and their attacks as ways to get around sanctions that would otherwise prohibit victims from paying the ransomware.