Threat Watch

EvilCorp Pretends to be Another Ransom Gang to Avoid US Sanctions

A “new” ransomware going by the name PayloadBIN has been discovered online by Fabian Wosar, the CTO of Emsisoft. Wosar attributes the sample to the well-known Evil Corp in a tweet posted on June 5th. The group began releasing various the WastedLocker ransomware under different names such as Hades and later Phoenix after being officially sanctioned by the U.S. Department of Justice (DoJ) and State Department in 2019. Sending funds to sanctioned entities can have consequences for US companies, making it less likely that victims will send ransom payments or that US cybersecurity companies will help to facilitate ransom payments if they know the attacker is EvilCorp. Now, after the group behind Babuk has decided to rebrand as they exit the ransom business to focus on extortion, EvilCorp has capitalized on the opportunity to use Babuk’s new name, Payload.bin. The move attracted plenty of media attention, even causing Babuk/Payload.bin to create a new blog post before taking it down just a short time later.




A now-deleted blog post from the Payload.bin leak site

ANALYST NOTES