A new, powerful Russian hacking group has emerged, and much to the dismay of Mr. Robot fans, they’re calling themselves Evil Corp. They saw a window, and they took it. Because COVID-19 has essentially rearranged the entire world, a lot of security precautions and concerns have fallen by the wayside. Evil Corp understood the impact that COVID had on the exchange of sensitive information, and they’ve found a highly effective way to get their hands on it.
The Risks of Working From Home
When you’re at work using a work device, you’re locked into their VPN and security software. Everyone is made to adhere to the same standard by the workplace IT professional in charge of security. When you’re at home, things are a little different. If you encounter something unusual, you can’t call your IT pro to come over and take a look. Working from home introduces all sorts of new variables that leave companies open to information related attacks.
Evil Corp has been targeting at-home workers who connect via their employer’s VPN. Targeting the VPN of a large employer (and the less-than-comprehensive cybersecurity knowledge of a remote worker) allows Evil Corp to obtain important pieces of corporate information piece by piece, and reassemble them to create the impact of a massive corporate hack.
How Was The Hacking Effort Discovered?
Cybersecurity firm Symantec was searching for common threads to connect ransomware attacks of the same variety, and their research was able to narrow down the demographic (at-home workers for major companies) and the group responsible (Evil Corp). Although the impact is not yet technically widespread, Symantec has collected enough data and made enough valuable observations to create a projection of what Evil Corp’s large scale plan must be, and it’s not pretty.
What is WastedLocker?
WastedLocker is Evil Corp’s ransomware. This ransomware comes from one of 150 trusted websites that Evil Corp has managed to nonchalantly secure access to and compromise through ads. Visiting these websites triggers what appears to be a software update window. A user will click on the window and, unbeknownst to them, be redirected to a web host that initiates the download of the ransomware quietly in the background.
It appears as though Evil Corp is attempting to target numerous large corporations, including Fortune 500 companies. By infecting as many remote employees as possible, they intend to use the sheer volume of people to launch a ransomware attack that will hold the company’s assets unless a large ransom is paid.
This is not Evil Corp’s first attempt to hijack large amounts of money. In 2019, the group orchestrated a fraud scheme that helped them secure over $100 million dollars in cash from a wealth of banks all over the world.
Who Was Impacted?
Symantec won’t release the names of the companies they believe to be affected by Evil Corp’s WastedLocker ransomware attacks. This is common practice – cybersecurity firms should always contact the individuals they believe to be impacted before releasing a wealth of details they’ve uncovered in their discovery. We’re still waiting on companies to make announcements regarding if and how they were impacted by Evil Corp.
All Symantec will officially state is that they believe 31 corporations were impacted, with eight of them being Fortune 500 companies and one of them being a major news organization.
The Bounty on Evil Corp
Two known members of Evil Corp have already been indicted by the United States Government. The US government typically seeks the help of ethical hobby hackers to find malicious hackers or mitigate the damage they’ve done. As is usually the case, the government is offering a reward of up to $5 million for information leading to the arrest of high ranking Evil Corp players.
How to Protect Yourself
Protecting yourself from ransomware attacks like Evil Corp’s is a bit harder. Because the ransomware installs itself in a way that mimics a software update, it’s easy for people to see the installation as an innocent or even necessary task. Remote workers should be careful not to install any updates from a pop up window, no matter how important they seem or where they came from. Only update from within Windows “check for updates” settings. Treat every download as a potential threat until security authorities are certain that WastedLocker is under control. If you use TorGuard VPN services you can enable our ad and malware blocking DNS and use Brave web browser to block rouge scripts from running.