Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Microsoft Connects USB Worm Attacks to ‘EvilCorp’ Ransomware Gang

Cybersleuths at Microsoft have found a link between the recent ‘Raspberry Robin’ USB-based worm attacks and EvilCorp, a notorious Russian ransomware operation sanctioned by the U.S. government.

Cybersleuths at Microsoft have found a link between the recent ‘Raspberry Robin’ USB-based worm attacks and EvilCorp, a notorious Russian ransomware operation sanctioned by the U.S. government.

According to fresh data from Redmond’s threat intelligence team, a ransomware-as-a-service gang it tracks as DEV-0206 has been caught rigging online ads to trick targets into installing a loader for additional malware previously attributed to EvilCorp.

Even more ominously, Microsoft said its research teams discovered EvilCorp malware distribution tactics and observed behavior all over the ‘Raspberry Robin’ worm seen squirming through corporate networks earlier this week.

The connection suggests the cybercriminals behind the EvilCorp operation are working with other groups to get around the U.S. Justice department sanctions that block ransomware extortion payments.

“The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status,” Microsoft said. EvilCorp is allegedly run by Russian nationals Maksim Yakubets and Igor Turashev, who were charged by the United States in 2019. 

[ READ: US Indicts ‘Evil Corp’ Hackers With Alleged Russian Intelligence Ties ]

Microsoft explained that the gangs have distributed operations with one team responsible for poisoning online ads and tricking Windows users into clicking on ZIP files that auto-deploys a JavaScript implant.

This is where EvilCorp takes over with hands-on keyboard actions, downloading additional payloads, escalating privileges in a corporate network, and deploying data-encrypting ransomware.

Microsoft’s warnings come less than a week after cybersecurity firm Red Canary intercepted a Windows worm abusing hacked QNAP network-attached storage (NAS) devices as stagers to spread to new systems.

That USB-based worm, named ‘Raspberry Robin’, has been seen spreading in organizations related to the technology and manufacturing sectors.

Separately, ransomware recovery firm Coveware says the average ransom payment jumped about 8% from last quarter, reaching approximately $228,000. While the average was pulled up by several outliers, Coveware calculates that the median ransom payment actually decreased to $36,360, a 51% decrease from Q1 2022.  

[ READ: ‘Raspberry Robin’ Windows Worm Abuses QNAP Devices ]

“This trend reflects the shift of RaaS affiliates and developers towards the mid market where the risk to reward profile of attack is more consistent and less risky than high profile attacks. We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts,” Coveware said.

Coveware, which helps infected organizations with ransom payment negotiations and data recovery, said data exfiltration remains prevalent in ransomware cases. 

“The proportion of companies that succumb to data exfiltration extortion continues to confound and frustrate,” Coveware said in a note that includes up-to-date calculations on the extent of the ransomware problem. 

“During Q2, we saw continued evidence that threat actors do not honor their word as it relates to destroying exfiltrated data. Despite our guidance, victims of data exfiltration continue to fuel the cyber extortion economy with these fruitless ransom payments.”

The company’s data shows that the most common industries impacted by ransomware attacks include the professional services and public sector, healthcare, software services, technology hardware and financial services. 

Related: Law Enforcement, Cyber Insurance Driving Anti-Ransomware Success

Related: Russian ‘Evil Corp’ Cybercriminals Possibly Evolved Into Cyberspies 

Related: US Indicts ‘Evil Corp’ Hackers With Alleged Russian Intelligence

Related: ‘Raspberry Robin’ Windows Worm Abuses QNAP Devices 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.