Evil Corp, a Russian-based cybercrime syndicate, exemplifies the sophisticated and audacious nature of modern cybercriminal organizations. The group, known for its banking fraud and ransomware attacks, has inflicted significant financial damage on businesses and institutions across the globe. This article delves into the origins, tactics, key figures, and impact of Evil Corp, illustrating the challenges law enforcement faces in combating such entities.
Origins and Modus Operandi
Evil Corp's criminal schemes were so sophisticated that they seemed "difficult to imagine if they were not real". The organization gained notoriety through the use of banking Trojans, with their most famous malware being Dridex.
• Dridex Malware: The Dridex malware was spread through emails disguised as job applications. These emails contained Word and Excel documents with malicious macros. Once opened, these files would infect the victim's computer, stealing banking credentials and enabling fraudulent transactions. Dridex caused over $20 million in damages from 2009 to around 2012.
• Money Mules: To avoid detection, Evil Corp utilized money mules. These individuals, often unknowingly, would receive stolen funds in their accounts and then transfer the money to the criminals. One such case involved a woman named Angela Casados, who was tricked into becoming a money mule. She was arrested after unknowingly participating in a scheme that stole $300,000 from a U.S. management company.
• Sabotage and Adaptation: Around 2012, cybersecurity experts infiltrated Evil Corp's systems, sabotaging their operations and causing significant financial losses. In response, the group disappeared briefly, only to resurface with renewed intensity, launching thousands of attacks across more than 40 countries.
Key Figures and Structure
Several individuals played crucial roles in Evil Corp's operations:
• Maxim Yakubets (Aqua): Identified as the leader of Evil Corp, Yakubets was in charge of the entire operation.
• Igor Turishev (Nintuto): Turishev oversaw the financial side of Evil Corp. He owned three companies with ties to crypto money laundering companies.
• Andre Ginkel (Smilex): Ginkel was responsible for recruiting hackers. His arrest in Cyprus in 2015 triggered a period of chaos within the organization.
• Maxim Vasilov & Andre Shkolavoy (Karamba): These two were also part of the leadership.
The structure of Evil Corp resembled that of a traditional corporation, with "managers working times customer service and even promotions for stealing more than others".
Law Enforcement and Countermeasures
The activities of Evil Corp drew the attention of law enforcement agencies worldwide.
• FBI and CIA Task Force: In response to the Dridex attacks, the FBI and CIA formed a special task force to investigate the group.
• Brian Krebs: Cybercrime journalist Brian Krebs played a role in uncovering Evil Corp's activities by identifying hacked businesses and alerting them to fraudulent transfers.
• International Cooperation: The U.S. task force collaborated with the United Kingdom's National Crime Agency to combat Evil Corp.
• Arrest of Andre Ginkel: The arrest of Andre Ginkel in 2015 provided valuable insights into the group's operations.
• Indictment and Sanctions: In 2019, federal prosecutors charged two Russian hackers associated with Evil Corp. The U.S. also imposed sanctions on the group, making it illegal for U.S. victims to pay ransoms.
Evolution and Adaptation
Despite facing law enforcement pressure, Evil Corp demonstrated a remarkable ability to adapt and evolve.
• Shift to Ransomware: Following Ginkel's arrest, the group briefly considered halting banking fraud operations in favor of ransomware attacks. While some members pursued ransomware, others continued with Dridex and banking fraud.
• BitPaymer Malware: Evil Corp transitioned to using a new ransomware family known as BitPaymer.
• New Identity: In early 2020, Evil Corp was associated with a new threat actor, UNC2165, allowing them to continue their attacks under a different guise.
• Relocation to Russia: The group relocated its remaining members to Russia, a country known for harboring cybercriminals.
Connections to Russian Intelligence
The ties between Evil Corp and the Russian government are a significant aspect of the syndicate's operations.
• FSB Involvement: Evil Corp leader Maxim Yakubets was actively working for the FSB (Federal Security Service of Russia), tasked with acquiring confidential documents and conducting cyber operations on Russia's behalf.
• Family Connections: Yakubets' father-in-law, Edward Bendersky, is a former high-ranking FSB officer with close ties to Vladimir Putin.
• Money Laundering: Igor Turishev, another key member of Evil Corp, owned companies involved in money laundering, utilizing crypto exchanges like Suex OTC.
Impact and Legacy
Evil Corp's activities have had a far-reaching impact:
• Financial Losses: The group has stolen over $220 million and caused over $130 million in collateral damage to the international economy.
• Victims: At least 300 different organizations in 43 countries have been affected by Evil Corp's attacks.
• Cybercrime Landscape: Evil Corp has been hailed as a pioneer in the cybercrime world, laying the foundation for modern cybercriminal organizations.
Conclusion
Evil Corp stands as a prime example of a sophisticated, adaptable, and dangerous cybercrime syndicate. Its ability to evolve, adapt, and maintain connections with state entities has allowed it to persist despite law enforcement efforts. The group's activities highlight the ongoing challenges in combating cybercrime and the need for international cooperation to address these threats. Despite the efforts to bring them down, Evil Corp continues to operate, posing a significant threat to businesses and institutions worldwide.
• Evil Corp is a Russian cybercrime syndicate known for banking fraud and ransomware attacks.
• The group used the Dridex malware to steal banking credentials.
• Money mules were used to launder stolen funds.
• Key figures include Maxim Yakubets, Igor Turishev, and Andre Ginkel.
• Evil Corp has close ties to the Russian FSB and engages in money laundering.
Responses (0 )