After restructuring due to the arrest of two of their members, the Russian cybercrime group Evil Corp has returned with new ransomware and tactics. Originally known for distributing the Dridex banking trojan, the group has returned with new ransomware called WastedLocker. According to researchers at Fox-IT, the new ransomware is being used in targeted attacks against corporations. Because the group is selective in who they target, the ransomware is customized for each victim and typically is used to hit file servers, database services, virtual machines, and cloud environments. To deliver the ransomware, the group is targeting websites to insert malicious code that displays fake update alerts. One of the payloads sent in this attack is the Cobalt Strike penetration testing framework, which the threat actors will use to gain access to the infected device. After access is gained into the network through the device, the group will further compromise the network and deploy the WastedLocker ransomware. It is important to note that the WastedLocker ransomware does not steal files before decrypting them, and there is not a free decryptor available to be used by victims. In many cases, the ransom that is asked for by the group is between 500,000 dollars and a few million dollars.