Last Updated: 2022-06-13 08:45
Evil Corp is considered one of the most difficult groups to track due to its repeated efforts to stay under the radar by reinventing itself as an attacker.
However, #KillingTheBear has gathered and centralized information from different sources and researchers who have worked hard to attribute activities of different groups and campaigns that can be attributed to Evil Corp with sufficient confidence.


Evil Corp is a sophisticated eCrime group that has been operating Dridex since June 2014, although the group is believed to have been in active since 2007-2009.
This group began using malicious software to steal currency from victims’ bank accounts. It is said to be linked to Moscow, Russia, and is struggling to evade sanctions as all the payments made to this group are being tracked by the FBI and NSA.
In 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned the Evil Corp in December 2019, citing the group's extensive development and use and control of the DRIDEX malware ecosystem.
These days Ransomware and its spread are being treated as a national threat as the file-encrypting has a potential to break a business on a permanent note.
Since the sanctions were announced, Evil Corp-affiliated actors appear to have continuously changed the ransomware they use to try to stay under the radar, has not only tried to change its ransomware, but has also attempted to affiliate itself with RaaS LockBit and there are indications that it has tried to impersonate REvil. Analysts with cybersecurity firm Emsisoft in December 2021 said they suspected that a ransomware infection in which the REvil name came up numerous times throughout likely was the work of Evil Corp
Specifically following an October 2020 OFAC advisory, there was a cessation of WASTEDLOCKER activity and the emergence of multiple closely related ransomware variants in relatively quick succession. These developments suggested that the actors faced challenges in receiving ransom payments following their ransomware's public association with Evil Corp.
Evil Corp might stolen over $100 million in the year 2019-20 alone.

First Seen

Some information dated back as far as 2010, when Russian police were still prepared to collaborate with their US colleagues. But with high probability they has been active since 2007, starting as affiliates to other criminal groups.
They got more popular and active once Dridex malware was created and spread during phishing attacks

Main Timeline

  • 2009: Evil Corp arrives on the scene, allegedly using malware called Cridex, Dridex, Bugat or Zeus to steal banking logins and grab money from accounts
  • 2012: Members of Evil Corp are indicted by a court in Nebraska under their online monikers, as their identities are unknown (Yakubets allegedly goes under the name "Aqua")
  • 2017: The crew is accused of starting a "ransomware as a service" (RaaS) operation - it's claimed other hackers pay to use their ransomware, called BitPaymer
  • 2019: Yakubets, Turashev and seven others are indicted, sanctioned or designated in the US - a $5m bounty is offered for information leading to Yakubets' arrest
  • Since 2019, Evil Corp is alleged to have cycled through different brands and variants of ransomware including DoppelPaymer, Grief, WastedLocker, Hades, Phoenix and Macaw in order to continue to pivot around OFAC sanctions


  • Financial crime
  • Financial gain
  • State-Sponsored

Affiliation Diagram

Evil Corp affiliation diagram - By Sentinel Labs

Episode with Mandiant and Lockbit

On June 62022, the group affiliated with the Lockbit 2.0 ransomware published on its leaks site that it had compromised the security firm Mandiant, in the same style as its other victims.
However, different media and researchers have denied the information circulating on networks and the Internet, indicating that the event only occurred as a sort of "warning" against the company and that this would give an "idea" that other ransomware operators would be migrating their activities to avoid the sanctions imposed by the U.S. to the use of this type of attacks.
The ransomware group published a new page on its data leak website, saying that the 356,841 files they allegedly stole from Mandiant will be leaked online.
The page displays a 0-byte file named '' that appears to be related to a mandiantyellowpress[.]com domain. Visiting this page redirects to the ninjaflex[.]com site.
After LockBit published the files, it looks like this wasn't about files stolen from Mandiant's network but, instead, about the ransomware group trying to distance itself from the Evil Corp cybercrime gang.
This was likely prompted by LockBit fearing the lost revenue because their victims will stop paying ransoms as Evil Corp is sanctioned by the U.S. government.
"Mandiant has reviewed the data disclosed in the initial LockBit release. Based on the data that has been released, there are no indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant's June 2nd, 2022 research blog on UNC2165 and LockBit," Mandiant's Karayan told BleepingComputer.
Copy link
On this page
First Seen
Main Timeline
Affiliation Diagram
Episode with Mandiant and Lockbit