Background
Evil Corp is one of the most prolific and sophisticated financially motivated cybercrime organizations in the world. Headquartered in Russia and operating since approximately 2007, the group is led by Maksim Yakubets, who was indicted by the U.S. Department of Justice in December 2019. The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) simultaneously designated Evil Corp and its members under sanctions, making them the first cybercriminal organization to face U.S. financial sanctions, and offering a $5 million reward for information leading to Yakubets' arrest — the largest such reward ever offered for a cybercriminal.
Evil Corp developed and operated Dridex, one of the most destructive banking trojans ever created, which caused over $100 million in losses to U.S. financial institutions and hundreds of millions globally. The group has close ties to Russian intelligence services: Yakubets has reportedly worked for Russia's FSB and maintains social ties to senior FSB officials, reflecting the blurred boundary between Russian organized cybercrime and state intelligence operations.
Following the 2019 sanctions, Evil Corp underwent significant rebranding to avoid sanction-triggered reluctance by ransomware-as-a-service operations and victim payment processors. The group cycled through multiple ransomware brands — WastedLocker, Hades, Phoenix CryptoLocker, PayloadBIN, Macaw — in rapid succession. CrowdStrike tracks the group as Indrik Spider, and Mandiant identifies UNC2165 as an Evil Corp offshoot.
Notable Campaigns
Dridex Banking Fraud Campaign (2011-2019): Evil Corp operated Dridex as a full-featured banking trojan delivered through massive phishing campaigns and macro-enabled Office documents. The malware enabled man-in-browser attacks to intercept banking credentials and manipulate online transactions. Estimated losses exceeded $100 million in the United States alone and hundreds of millions globally across over 40 countries.
WastedLocker Ransomware (2020): After the 2019 sanctions, Evil Corp transitioned to targeted ransomware operations. WastedLocker was deployed against over 31 U.S. companies including Garmin, which reportedly paid a $10 million ransom after the June 2020 attack encrypted servers and disrupted navigation and fitness tracking services globally.
Hades Ransomware Campaign (2020-2021): Evil Corp deployed Hades as a successor to WastedLocker, targeting large enterprises in the U.S. gaming, manufacturing, and transportation sectors. Hades shared significant code overlap with WastedLocker and was deployed exclusively against targets with revenues exceeding $1 billion.
OFAC Sanctions Evasion Operations (2021-2024): As tracked by Mandiant, UNC2165 (Evil Corp offshoot) shifted to deploying LockBit ransomware infrastructure to obscure attribution and evade the operational complications of sanctions. This demonstrates Evil Corp's sophistication in adapting to law enforcement pressure while maintaining revenue.
Tactics, Techniques & Procedures
Evil Corp relies heavily on high-volume phishing campaigns (T1566.001) for initial access, distributing macro-enabled Word and Excel documents through spam botnets. Post-Dridex, the group shifted toward more targeted operations, using Dridex as an initial access vehicle to identify high-value enterprise targets before deploying ransomware.
The group's ransomware campaigns demonstrate significant pre-deployment reconnaissance. Operators spend weeks performing internal reconnaissance, harvesting credentials (T1078), and identifying high-value systems including backup servers, ERP systems, and financial platforms before deploying ransomware at scale. Evil Corp has shown willingness to deploy ransomware across entire enterprise networks simultaneously to maximize operational impact.
Post-compromise tools include Cobalt Strike for C2, BloodHound for Active Directory enumeration, and standard living-off-the-land techniques using PowerShell (T1059.001) and WMI. The group is noted for methodical backup destruction prior to encryption.
Tools & Malware
- Dridex: Full-featured modular banking trojan enabling credential theft, man-in-browser attacks, and malware distribution. The group's flagship tool for over a decade.
- WastedLocker: Targeted ransomware deployed against large enterprises, with bespoke ransom demands calibrated to victim revenue.
- Hades: WastedLocker successor with similar code structure, deployed exclusively against billion-dollar revenue targets.
- Phoenix CryptoLocker / PayloadBIN / Macaw: Sequential ransomware rebrands used to evade OFAC sanctions scrutiny.
- BitPaymer: Early ransomware variant used by Evil Corp before transitioning to WastedLocker.
- FlawedAmmyy: Remote access trojan shared with FIN11, used as a Dridex- stage post-exploitation tool.
Indicators & Detection
Evil Corp's Dridex malware uses encrypted HTTPS communications with domain generation algorithm (DGA) C2 domains. Detection should focus on blocking macro execution in Office documents delivered via email, monitoring for PowerShell execution chains spawned from Office processes, and identifying Dridex's characteristic web inject and form-grabbing behavior in browser processes.
For ransomware deployment phases, monitor for Evil Corp's characteristic pre-encryption activity: BloodHound/SharpHound AD enumeration, bulk credential harvesting from LSASS, and PsExec or WMI lateral movement to server infrastructure. Alert on backup deletion commands and encryption activity spreading across network shares.
Given OFAC sanctions, U.S. financial institutions and cybersecurity incident responders have legal obligations to consider before facilitating ransom payments to Evil Corp. Engage specialized legal counsel before any ransom negotiation if Evil Corp attribution is suspected. The Treasury's OFAC FAQ provides guidance on the sanctions compliance implications for organizations considering ransom payments.