After careful code analysis, cybersecurity researchers have linked a new ransomware known as Macaw Locker to the Russian-based crime group Evil Corp. The threat group has been actively involved in international bank fraud and computer hacking schemes since 2007, and in 2019 the U.S. Department of Justice (DOJ) charged the heads of the group with conspiracy, computer hacking, wire fraud, and bank fraud in a 10-count indictment. This led to a sanction on the group, which banned ransomware negotiation firms from facilitating ransom payments for operations attributed to Evil Corp. Cybersecurity experts also noted that Evil Corp began creating limited use ransomware operations under various names to evade the treasury sanctions.
Earlier this week, Macaw Locker was exposed as the recent malware iteration by Evil Corp, which was used in the attacks involving Japanese tech company Olympus and the Sinclair Broadcast Group earlier this month. This ransomware encrypts the target’s files and adds the .macaw extension to the file name. The targets are then directed to the cyber gang’s negotiation site via a ransom note named macaw_recover.txt.
Experts predict that the crime group will continue to modify and rename their ransomware as necessary to bypass treasury sanctions.