Tracking Adversaries: EvilCorp, the RansomHub affiliate

-

 


Introduction

This blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates prominent or new threat groups.

The focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching ransomware attacks, and RansomHub, a prominent ransomware as a service (RaaS) operation run by Russian-speaking cybercriminals.

These two threat groups have been linked together through cooperation on intrusions and IOCs and TTPs shared by multiple CTI sources. The implication of this link is critical due to RansomHub being the most active ransomware gang and is working with a well-known sanctioned affiliate.

Who is RansomHub?

Active since February 2024, RansomHub is a RaaS operation formerly known as Cyclops and Knight and is run by Russian-speaking adversaries. It is currently used by more and more cybercriminals that are ex-affiliates of other RaaS operations. This includes the ALPHV/BlackCat RaaS and the LockBit RaaS, which have since shutdown or disappeared. This has made the RansomHub RaaS one of the most widespread ransomware families as of early 2025.

Due to having a high number of affiliates, the tools and TTPs observed before the final RansomHub payload is deployed can vary significantly. Each affiliate may have their own set of tools and TTPs to achieve the final objectives of data exfiltration and ransomware deployment.

Who is EvilCorp?

Evil Corp is an international cybercrime network sanctioned for orchestrating large-scale financial cyberattacks led by Maksim Yakubets. EvilCorp’s operations have evolved over time, expanding from Dridex banking trojan campaigns into developing ransomware like BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker.

Notably, Aleksandr Ryzhenkov, was identified by the National Crime Agency (NCA) as a high-ranking member of EvilCorp and also LockBit affiliate. Ryzhenkov became a LockBit affiliate around 2022, contributing to over 60 LockBit ransomware builds and attempting to extort more than $100 million from victims. This discovery aligns with Mandiant’s previous reporting on EvilCorp shifting to LockBit as well.

The NCA also found that EvilCorp maintains close ties with Russian intelligence agencies through Yakubets' father-in-law, Eduard Bendersky, a former FSB officer, who is suspected of using his influence to shield the group from prosecution in Russia.

One of the TTPs that makes EvilCorp standout from the rest of the RaaS affiliates is their own affiliation to the SocGholish JavaScript malware (aka FAKEUPDATES). If ransomware deployment takes place following a SocGholish infection, then the attackers responsible for the attack will be affiliated with EvilCorp.

Reported Connections Between EvilCorp and RansomHub

On 15 July 2024, Microsoft shared a post on X stating that RansomHub was observed being deployed in post-compromise activity by Manatee Tempest (which is Microsoft’s name for EvilCorp) following initial access via SocGholish (aka FakeUpdates) infections (which Microsoft tracks as Mustard Tempest).

A screenshot of a computer AI-generated content may be incorrect.

On 15 January 2025, Guidepoint wrote a blog on a new Python backdoor used by an affiliate of RansomHub. Notably, the new Python backdoor was delivered by SocGholish. Therefore, this Python backdoor is another potential artifact worth monitoring for its connection to known EvilCorp-related malware.

The next day, on 16 January 2025, Google shared a report on EvilCorp (which Google tracks as UNC2165) that disclosed numerous tools and malware families they have been using to deliver RansomHub, including a Python backdoor dubbed VIPERTUNNEL (see the image below). The presence of a Python backdoor following a SocGholish infection is notable TTP that overlaps with the Guidepoint blog on RansomHub.

On 14 March 2025, Trend Micro disclosed further details that also confirmed the SocGholish malware is leading to the deployment of RansomHub ransomware. The operators of SocGholish are tracked as Water Scylla by Trend Micro. The operators distribute SocGholish via the Keitaro Traffic Direction System (TDS), a legitimate service used for marketing campaigns. Trend Micro also observed SocGholish dropping the same custom Python backdoor (aka VIPERTUNNEL) as well.

So What?

EvilCorp has been under US sanctions since 2019, making it illegal for affected organisations to pay ransoms to them without facing potential fines from the US Treasury’s Office of Foreign Assets Control (OFAC). Despite these sanctions, EvilCorp has continued its cybercriminal activities by adapting its tactics to include rebranding their ransomware and becoming an affiliate of RaaS operations, such as LockBit and RansomHub. 

The key indicator of EvilCorp's involvement in ransomware attacks continues to be the use of the SocGholish malware, which employs drive-by downloads masquerading as web browser software updates to gain initial access to systems.

EvilCorp’s affiliation with RansomHub raises the possibilities that RansomHub may soon face sanctions similar to those imposed on EvilCorp. Consequently, any victim that pays a ransom to RansomHub could become significantly riskier for cyber insurance organisations, incident responders, and ransomware negotiators, as they may inadvertently violate sanctions and face legal repercussions.

Given EvilCorp's prominence as a target for international law enforcement, its association with RansomHub is likely to draw increased scrutiny. This could result in RansomHub becoming the focus of future law enforcement actions, including potential takedowns and additional sanctions, further complicating the landscape for entities involved in ransomware response and mitigation.

There is also the increased likelihood that RansomHub will now rebrand. As we saw in the BlackBasta Leaks, ransomware groups pay close attention to the news, CTI reports, and even posts on X and even blogs by researchers. This association to EvilCorp and threat of sanctions is an issue for ransomware groups as it impacts their business model and makes earning harder. Therefore, by linking the two entities together CTI analysts can impose cost on these cybercriminals.

References:

  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
  2. https://www.bankinfosecurity.com/blogs/ransomhub-hits-powered-by-ex-affiliates-lockbit-blackcat-p-3703
  3. https://www.ransomware.live/group/ransomhub#ttps
  4. https://home.treasury.gov/news/press-releases/sm845
  5. https://web.archive.org/web/20200213115628/https:/www.nationalcrimeagency.gov.uk/news/international-law-enforcement-operation-exposes-the-world-s-most-harmful-cyber-crime-group
  6. https://www.crowdstrike.com/en-us/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
  7. https://web.archive.org/web/20241004104429/https:/www.nationalcrimeagency.gov.uk/news/further-evil-corp-cyber-criminals-exposed-one-unmasked-as-lockbit-affiliate
  8. https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0206-DEV-0243
  9. https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates
  10. https://x.com/msftsecintel/status/1812932754947911780
  11. https://www.microsoft.com/en-gb/security/security-insider/manatee-tempest
  12. https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
  13. https://services.google.com/fh/files/misc/threat_horizons_report_h1_2025.pdf
  14. https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
  15. https://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on ...
Read more

The Russian APT Tool Matrix

-
Image
Introduction Based on feedback I have received from fellow CTI researchers, incident responders, and managed detection and response teams around my Ransomware Tool Matrix project, I decided to make another Tool Matrix focused on one hostile state in particular: Russia. Again, as defenders, we should exploit the fact the tools used by these Russian APT groups are often reused and through proactive defensive work, we can frustrate and even eliminate the ability of certain adversaries to launch intrusions. Using the Russian APT Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by Russian APTs to hunt, detect, and block, there are some risks, as noted in the repository. The new repository also contains multiple types of Russian threat groups, this includes adversaries part of the GRU, SVR, and FSB. The alias of each Russian threat group has been chosen by what the author of this repo believes it is most well-known as. ...
Read more