Security Experts:

Microsoft Connects USB Worm Attacks to 'EvilCorp' Ransomware Gang

Cybersleuths at Microsoft have found a link between the recent 'Raspberry Robin' USB-based worm attacks and EvilCorp, a notorious Russian ransomware operation sanctioned by the U.S. government.

According to fresh data from Redmond’s threat intelligence team, a ransomware-as-a-service gang it tracks as DEV-0206 has been caught rigging online ads to trick targets into installing a loader for additional malware previously attributed to EvilCorp.

Even more ominously, Microsoft said its research teams discovered EvilCorp malware distribution tactics and observed behavior all over the ‘Raspberry Robin’ worm seen squirming through corporate networks earlier this week.

The connection suggests the cybercriminals behind the EvilCorp operation are working with other groups to get around the U.S. Justice department sanctions that block ransomware extortion payments.

"The use of a RaaS payload by the 'EvilCorp' activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status," Microsoft said. EvilCorp is allegedly run by Russian nationals Maksim Yakubets and Igor Turashev, who were charged by the United States in 2019. 

[ READ: US Indicts 'Evil Corp' Hackers With Alleged Russian Intelligence Ties ]

Microsoft explained that the gangs have distributed operations with one team responsible for poisoning online ads and tricking Windows users into clicking on ZIP files that auto-deploys a JavaScript implant.

This is where EvilCorp takes over with hands-on keyboard actions, downloading additional payloads, escalating privileges in a corporate network, and deploying data-encrypting ransomware.

Microsoft’s warnings come less than a week after cybersecurity firm Red Canary intercepted a Windows worm abusing hacked QNAP network-attached storage (NAS) devices as stagers to spread to new systems.

That USB-based worm, named 'Raspberry Robin', has been seen spreading in organizations related to the technology and manufacturing sectors.

Separately, ransomware recovery firm Coveware says the average ransom payment jumped about 8% from last quarter, reaching approximately $228,000. While the average was pulled up by several outliers, Coveware calculates that the median ransom payment actually decreased to $36,360, a 51% decrease from Q1 2022.  

[ READ: 'Raspberry Robin' Windows Worm Abuses QNAP Devices ]

"This trend reflects the shift of RaaS affiliates and developers towards the mid market where the risk to reward profile of attack is more consistent and less risky than high profile attacks. We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts," Coveware said.

Coveware, which helps infected organizations with ransom payment negotiations and data recovery, said data exfiltration remains prevalent in ransomware cases. 

"The proportion of companies that succumb to data exfiltration extortion continues to confound and frustrate," Coveware said in a note that includes up-to-date calculations on the extent of the ransomware problem. 

"During Q2, we saw continued evidence that threat actors do not honor their word as it relates to destroying exfiltrated data. Despite our guidance, victims of data exfiltration continue to fuel the cyber extortion economy with these fruitless ransom payments."

The company's data shows that the most common industries impacted by ransomware attacks include the professional services and public sector, healthcare, software services, technology hardware and financial services. 

Related: Law Enforcement, Cyber Insurance Driving Anti-Ransomware Success

Related: Russian 'Evil Corp' Cybercriminals Possibly Evolved Into Cyberspies 

Related: US Indicts 'Evil Corp' Hackers With Alleged Russian Intelligence

Related: 'Raspberry Robin' Windows Worm Abuses QNAP Devices 

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.