The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare and public health sector (HPH) about one of the most capable and aggressive cybercrime syndicates currently in operation – Evil Corp. The group operates out of Russia and has been operational since at least 2009 and is responsible for the infamous Dridex banking Trojan and several other ransomware and malware variants, including BitPaymer, Hades, Phoenixlocker, WastedLocker, SocGholish, GameOver Zeus, and JabberZeus. Evil Corp’s malware and ransomware variants have been used in many cyberattacks on the HPH sector, one of the most well-known being the BitPaymer ransomware attack on the National Health Service (NHS) Lanarkshire Board in Scotland in 2017.
Evil Corp’s primary modus operandi in recent years is conducting digital extortion attacks, including the use of ransomware, and the theft of sensitive information. HC3 warns that Evil Corp may conduct attacks at the request of the Russian government, including attacks that steal intellectual property, and members of the group are known to cooperate with the Russian intelligence agencies. The group has access to several third-party malware strains, including the TrickBot and Emotet Trojans, and has links to major ransomware and cybercriminal operations worldwide.
Evil Corp has been the subject of multiple law enforcement operations. The leader of Evil Corp, Maksim Yakubets, was indicted by a Federal grand jury in 2019 and was charged with conspiracy, computer hacking, wire fraud, and bank fraud related to the distribution of Bugat malware, the predecessor of Dridex. In addition to running the operation, Yakubets interfaces with the Russian government and is known to have been tasked with projects on behalf of the Russin FSB. Several other high-ranking members of the group have also been identified and are currently being sought by the FBI and other law enforcement agencies.
The group is heavily reliant on money mules for receiving payments extorted from its victims, and at least 8 Moscow-based individuals are known to have served as financial facilitators for the group and are involved in moving the profits from the attacks in a way to prevent the money being traced by law enforcement.
Due to the number of malware and ransomware variants used by Evil Group, they employ a wide range of tactics, techniques, and procedures in their attacks. They also have extensive technical capabilities, both in-house and through associations with other cybercriminal operations. One of the main methods used to gain initial access to victims’ networks is phishing. The group is also known to use legitimate security tools and living-of-the-land techniques to evade security solutions and operate undetected, including publicly available tools such as Cobalt Strike, Covenant, Donut, Kodiac, MimiKatz, PowerShell Empire, and PowerSploit, along with many self-developed tools.
Due to the extensive range of malware and ransomware variants and custom tools used by the group, multiple defensive measures and mitigations are required to detect and block attacks. HC3 has listed several resources in the alert to help network defenders improve their defenses, along with indicators of compromise, Yara rules, and other defensive information.
The post Healthcare Organizations Warned About Evil Corp. Cybercrime Syndicate appeared first on HIPAA Journal.