Connect with us

Hi, what are you looking for?


Application Security

Microsoft Connects USB Worm Attacks to ‘EvilCorp’ Ransomware Gang

Cybersleuths at Microsoft have found a link between the recent ‘Raspberry Robin’ USB-based worm attacks and EvilCorp, a notorious Russian ransomware operation sanctioned by the U.S. government.

Cybersleuths at Microsoft have found a link between the recent ‘Raspberry Robin’ USB-based worm attacks and EvilCorp, a notorious Russian ransomware operation sanctioned by the U.S. government.

According to fresh data from Redmond’s threat intelligence team, a ransomware-as-a-service gang it tracks as DEV-0206 has been caught rigging online ads to trick targets into installing a loader for additional malware previously attributed to EvilCorp.

Even more ominously, Microsoft said its research teams discovered EvilCorp malware distribution tactics and observed behavior all over the ‘Raspberry Robin’ worm seen squirming through corporate networks earlier this week.

The connection suggests the cybercriminals behind the EvilCorp operation are working with other groups to get around the U.S. Justice department sanctions that block ransomware extortion payments.

“The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status,” Microsoft said. EvilCorp is allegedly run by Russian nationals Maksim Yakubets and Igor Turashev, who were charged by the United States in 2019. 

[ READ: US Indicts ‘Evil Corp’ Hackers With Alleged Russian Intelligence Ties ]

Microsoft explained that the gangs have distributed operations with one team responsible for poisoning online ads and tricking Windows users into clicking on ZIP files that auto-deploys a JavaScript implant.

Advertisement. Scroll to continue reading.

This is where EvilCorp takes over with hands-on keyboard actions, downloading additional payloads, escalating privileges in a corporate network, and deploying data-encrypting ransomware.

Microsoft’s warnings come less than a week after cybersecurity firm Red Canary intercepted a Windows worm abusing hacked QNAP network-attached storage (NAS) devices as stagers to spread to new systems.

That USB-based worm, named ‘Raspberry Robin’, has been seen spreading in organizations related to the technology and manufacturing sectors.

Separately, ransomware recovery firm Coveware says the average ransom payment jumped about 8% from last quarter, reaching approximately $228,000. While the average was pulled up by several outliers, Coveware calculates that the median ransom payment actually decreased to $36,360, a 51% decrease from Q1 2022.  

[ READ: ‘Raspberry Robin’ Windows Worm Abuses QNAP Devices ]

“This trend reflects the shift of RaaS affiliates and developers towards the mid market where the risk to reward profile of attack is more consistent and less risky than high profile attacks. We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts,” Coveware said.

Coveware, which helps infected organizations with ransom payment negotiations and data recovery, said data exfiltration remains prevalent in ransomware cases. 

“The proportion of companies that succumb to data exfiltration extortion continues to confound and frustrate,” Coveware said in a note that includes up-to-date calculations on the extent of the ransomware problem. 

“During Q2, we saw continued evidence that threat actors do not honor their word as it relates to destroying exfiltrated data. Despite our guidance, victims of data exfiltration continue to fuel the cyber extortion economy with these fruitless ransom payments.”

The company’s data shows that the most common industries impacted by ransomware attacks include the professional services and public sector, healthcare, software services, technology hardware and financial services. 

Related: Law Enforcement, Cyber Insurance Driving Anti-Ransomware Success

Related: Russian ‘Evil Corp’ Cybercriminals Possibly Evolved Into Cyberspies 

Related: US Indicts ‘Evil Corp’ Hackers With Alleged Russian Intelligence

Related: ‘Raspberry Robin’ Windows Worm Abuses QNAP Devices 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...