International law enforcement continues to dismantle the LockBit ransomware gang's infrastructure.
Read more in my article on the Tripwire State of Security blog.
Category: Evil Corp
The Evil Corp Cyber Attack on NATO Countries
The notorious Russian state-funded cyber threat group known as Evil Corp has recently made headlines for its targeted cyber attacks against NATO countries. According to revelations from Britain’s National Crime Agency (NCA), this group has exploited vulnerabilities within these nations, leveraging connections to evade sanctions imposed by U.S. authorities. Central to their operations is Maksim Yakubets, the group’s leader, who reportedly utilizes his father-in-law, Eduard Bendersky—a figure of considerable political influence—to shield those indicted in the United States from prosecution.
Evil Corp first garnered significant attention in 2019 when law enforcement agencies caught them engaged in espionage activities against NATO nations. That same year, they expanded their operations to include ransomware attacks on various corporate networks throughout North America. These attacks often exploited public Wi-Fi networks in places like airports and cafes, facilitating the rapid spread of malware and underscoring the vulnerabilities of even well-established organizations.
The NCA’s investigations revealed that Yakubets has cleverly navigated the complexities of international law, effectively transporting indicted members of Evil Corp to Moscow, where they are sheltered from U.S. scrutiny. This strategic relocation not only obfuscates their identities but also ensures that the threat posed by Evil Corp remains a persistent issue, rather than being entirely neutralized.
Ransomware Attack on UMC Health System
In a separate but related incident, the University Medical Center Health System (UMC) in Texas experienced a significant ransomware attack on September 26 of this year. The attack resulted in a temporary shutdown of crucial medical systems, disrupting operations across the facility, which serves over 30 clinics and employs more than 4,000 individuals. Fortunately, UMC had a robust data continuity plan in place, enabling a swift recovery process following the attack.
During the crisis, emergency ambulance services were redirected to other hospitals to ensure that patient care was not compromised. However, thanks to the efforts of security experts and the implementation of effective mitigation strategies, UMC was able to recover digital patient records quickly. As a result, the facility is expected to resume full operations by early next week.
The rising frequency of ransomware attacks targeting healthcare networks poses a significant challenge, as these institutions often find themselves with limited options for evading ransom demands. As cybercriminal tactics evolve, many healthcare facilities have begun adopting advanced technologies such as cloud infrastructure and on-premise backup solutions to restore operations more effectively. This shift is making it increasingly difficult for cybercriminals to extract financial gains from such attacks, prompting a shift in focus toward other sectors, including finance and education.
Conclusion
The activities of Evil Corp and the ransomware attack on UMC Health System highlight the growing and evolving threats in the cyber landscape. As state-sponsored groups and independent criminals continue to target critical infrastructure, the need for robust cybersecurity measures and international cooperation becomes ever more vital. The resilience demonstrated by organizations like UMC serves as a model for how to respond to such threats effectively, but the underlying risks remain a pressing concern for all sectors, particularly in an increasingly digital world.
The post Russia Cyber attack on Nato countries and ransomware attack on UMC Health System appeared first on Cybersecurity Insiders.
The Russian government today handed down a treason conviction and 14-year prison sentence on Iyla Sachkov, the former founder and CEO of one of Russia’s largest cybersecurity firms. Sachkov, 37, has been detained for nearly two years under charges that the Kremlin has kept classified and hidden from public view, and he joins a growing roster of former Russian cybercrime fighters who are now serving hard time for farcical treason convictions.
Ilya Sachkov. Image: Group-IB.com.
In 2003, Sachkov founded Group-IB, a cybersecurity and digital forensics company that quickly earned a reputation for exposing and disrupting large-scale cybercrime operations, including quite a few that were based in Russia and stealing from Russian companies and citizens.
In September 2021, the Kremlin issued treason charges against Sachkov, although it has refused to disclose any details about the allegations. Sachkov pleaded not guilty. After a three-week “trial” that was closed to the public, Sachkov was convicted of treason and sentenced to 14 years in prison. Prosecutors had asked for 18 years.
Group-IB relocated its headquarters to Singapore several years ago, although it did not fully exit the Russian market until April 2023. In a statement, Group-IB said that during their founder’s detainment, he was denied the right to communicate — no calls, no letters — with the outside world for the first few months, and was deprived of any visits from family and friends.
“Ultimately, Ilya has been denied a chance for an impartial trial,” reads a blog post on the company’s site. “All the materials of the case are kept classified, and all hearings were held in complete secrecy with no public scrutiny. As a result, we might never know the pretext for his conviction.”
Prior to his arrest in 2021, Sachkov publicly chastised the Kremlin for turning a blind eye to the epidemic of ransomware attacks coming from Russia. In a speech covered by the Financial Times in 2021, Sachkov railed against the likes of Russian hacker Maksim Yakubets, the accused head of a hacking group called Evil Corp. that U.S. officials say has stolen hundreds of millions of dollars over the past decade.
“Yakubets has been spotted driving around Moscow in a fluorescent camouflage Lamborghini, with a custom licence plate that reads ‘THIEF,'” FT’s Max Seddon wrote. “He also ‘provides direct assistance to the Russian government’s malicious cyber efforts,’ according to US Treasury sanctions against him.”
In December 2021, Bloomberg reported that Sachkov was alleged to have given the United States information about the Russian “Fancy Bear” operation that sought to influence the 2016 U.S. election. Fancy Bear is one of several names (e.g., APT28) for an advanced Russian cyber espionage group that has been linked to the Russian military intelligence agency GRU.
In 2019, a Moscow court meted out a 22-year prison sentence for alleged treason charges against Sergei Mikhailov, formerly deputy chief of Russia’s top anti-cybercrime unit. The court also levied a 14-year sentence against Ruslan Stoyanov, a senior employee at Kaspersky Lab. Both men maintained their innocence throughout the trial, and the supposed reason for the treason charges has never been disclosed.
Following their dramatic arrests in 2016, some media outlets reported that the men were suspected of having tipped off American intelligence officials about those responsible for Russian hacking activities tied to the 2016 U.S. presidential election.
That’s because two others arrested for treason at the same time — Mikhailov subordinates Georgi Fomchenkov and Dmitry Dokuchaev — were reported by Russian media to have helped the FBI investigate Russian servers linked to the 2016 hacking of the Democratic National Committee.
Security researchers from Mandiant have discovered that Russian hacking group Evil Corp has changed its tactics to evade sanctions pronounced by the United States Treasury Department.
UNC2165, a hacking group cluster that includes those spreading LockBit and Conti ransomware, was being tracked by law enforcement as its financial crimes were brought under the radar of sanctions in 2019.
UNC2165 is Evil Corp that changed its attack tactics in October last year by infecting banks and other financial organizations across 40 countries with Dridex Malware.
The said hacking group was in a viewpoint that law enforcement might not detect its new infection tactics.
But Mandiant claims that it has enough evidence to prove UNC2165 as a disguise to Evil Corp that stole over $100 million in the year 2019-20 alone. It was earlier being distributed as WastedLocker and has recently shifted to become Hades Ransomware.
This means that there is only a change in name, and the rest, all the attribution, infection, and ransom demand tactics, are the same.
NOTE- Evil Corp is a cybercrime group that uses malicious software to steal currency from victims’ bank accounts. It is said to be linked to Moscow, Russia, and is struggling to evade sanctions as all the payments made to this group are being tracked by the FBI and NSA these days Ransomware and its spread are being treated as a national threat as the file-encrypting has a potential to break a business on a permanent note.
The post Russian Evil Corp changes tactics to avoid sanctions appeared first on Cybersecurity Insiders.