LockBit Ransomware Detection: Cybercriminal Gang Evil Corp Affiliates, aka UNC2165, Attempt to Evade U.S. Sanctions

In December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned the Russia-linked cybercriminal gang tracked as Evil Corp (aka Dridex, INDRIK SPIDER) that stood behind the deployment and distribution of the notorious Dridex malware targeting banks and financial institutions for nearly a decade. In an attempt to evade sanctions, threat actors were looking for ways to shift to more sophisticated ransomware operations by developing and applying new malware samples, including WasterLocker and Hades ransomware, the latter enriched with a set of code obfuscation enhancements.

According to the latest research by Mandiant, a financially motivated threat group dubbed UNC2165 earlier observed delivering Hades malware and also linked to LockBit ransomware intrusions, can be affiliated with the Evil Corp actors based on overlaps and similar adversary behavior patterns. Therefore, the malicious activity of the UNC2165 group can be considered another step in the evolution of Evil Corp-affiliated operations. 

Detect Evil Corp Activity Affiliated With UNC2165 

The evolution of ransomware attacks poses a serious threat to global organizations, therefore their timely detection seems like a significant consideration when building an efficient cybersecurity strategy. To detect the malicious activity of notorious Evil Corp affiliates constantly evolving their adversary toolkit, explore a dedicated set of Sigma rules from the SOC Prime’s Detection as Code platform:

Sigma rules to detect Evil Corp-affiliated activity also tracked as UNC2165

All detections are applicable to industry-leading SIEM, EDR, and XDR solutions supported by SOC Prime’s platform and are aligned with the MITRE ATT&CK® framework ensuring comprehensive visibility into relevant threats. 

InfoSec practitioners striving to be fully equipped with enhanced threat detection and hunting capabilities are prompted to explore the entire collection of Sigma rules available in the SOC Prime’s platform and tailored to custom security needs. To explore the comprehensive list of SOC content to detect LockBit ransomware and instantly search for relevant threats, click the Detect and Hunt button. To instantly explore MITRE ATT&CK reference, relevant CTI, and more metadata for in-depth threat investigation, browse SOC Prime’s search engine for Threat Detection, Threat Hunting, and CTI by clicking the Explore Threat Context button.

Detect & Hunt Explore Threat Context

UNC2165 Deploys LockBit Ransomware: New Attack Vectors

According to the in-depth inquiry by Mandiant, the hacker collective tracked as UNC2165 is increasingly using LockBit ransomware for financial gains. Security experts point out that UNC2165 has significant overlaps with Evil Corp actors, presumably being the new incarnation of the collective that morphs its toolset once again to avoid U.S. sanctions.

Since being sanctioned in 2019 for Dridex malware campaigns, Evil Corp group has shifted the toolset several times to proceed with financially-motivated operations. Previously, the group had a unique approach to penetrate the targeted networks via the “FakeUpdates” infection chain, deploying custom variants of WastedLocker and Hades. However, recently Evil Corp has been spotted increasingly relying on LockBit ransomware-as-a-service (RaaS) instead of exclusive ransomware samples. The reason for that is dodging OFAC sanctions by concealing within other LockBit RaaS affiliates and leveraging the LockBit infrastructure for anonymized operations.

Mandiant experts have analyzed the new kill chain concluding that UNC2165- actors stick to FakeUpdates for the initial intrusion. Particularly hackers use DONUT and COLOFAKE loaders to deploy Cobalt Strike Beacon and gain a foothold on the network. Further, Mimikatz and Kerebroasting attacks are leveraged for privilege escalation, while a set of native Microsoft Windows utilities (whoami, nltest, cmdkey, and net) are used for internal reconnaissance. After the sensitive data across the environment is accessed and exfiltrated by hackers, UNC2165 drops LockBit payloads to encrypt targeted assets. 

Boost threat detection capabilities and accelerate threat hunting velocity by accessing the most comprehensive SOC team toolset available via SOC Prime’s Detection as Code platform! Join now for free and instantly access the largest library of detection content alongside advanced tools to increase the effectiveness of your cybersecurity operations.