A warning has been issued to the healthcare and public health (HPH) sector by the U.S. Office of Information Security’s Health Sector Cybersecurity Coordination Center (HC3) about the Evil Corp threat group. Evil Corp is a Russian cybercriminal group that has extensive capabilities and has been operating for more than a decade. The group is responsible for creating and operating some of the most powerful malware and ransomware variants, including Dridex malware, which targeted the credentials of hundreds and banks and financial institutions in more than 40 countries. Dridex malware allowed the group to steal more than $100 million, in addition to causing considerable harm to financial organizations in the United States and their customers.
Evil Corp, also known as UNC2165, GOLD DRAKE and Indrik Spider, was also behind the Zeus malware, and its major variants such as GameOver Zeus and JabberZeus, and ransomware variants such as Doppelpaymer, Hades, Phoenixlocker and Wastedlocker. These malware and ransomware variants have been used in many attacks in the United States, with the group also known to use commodity malware and publicly available tools such as Cobalt Strike Mimikatz, Koadic, Covenant, Powersploit, and Donut. Phishing attacks and malicious code injection are the initial attack vectors of choice.
While Evil Corp is a financially motivated cybercriminal organization, it is known to cooperate with the Russian security services, with the leader of the group, Maksim Yakubets, interfacing with the Russian government. It is possible that Evil Corp has been tasked with obtaining intellectual property from organizations in the United States by the Russian government. The group is known to have close relationships with other cybercriminal groups operating out of Russia such as Doppel Spider, Wizard Spider, Mummy Spider, with the latter responsible for the notorious Emotet Trojan. Evil Corp’s malware and ransomware variants have been used in attacks on many healthcare and public health organizations and the group continues to pose a significant threat to the HPH sector.
Defending against attacks by Evil Corp is a challenge due to the capabilities of the group, its diverse malware and ransomware arsenal, and the custom capabilities that the group is continuously developing; however, HC3 has shared several resources that network defenders can used to improve their defenses, including indicators of compromise and Yara rules for detecting the malware and ransomware variants used by the group.