{ "id": "08d5ae86-4bd0-4da8-a13d-a29cbdcd368e", "created_at": "2026-04-06T01:29:08.13387Z", "updated_at": "2026-04-10T03:36:36.75659Z", "deleted_at": null, "sha1_hash": "4fb9592c517340c4f12e2660a7c66b15f1833261", "title": "Ransomware Gangs and the Name Game Distraction", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 916411, "plain_text": "Ransomware Gangs and the Name Game Distraction\r\nPublished: 2021-08-05 · Archived: 2026-04-06 00:09:16 UTC\r\nIt’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to\r\ndisband. We hang on to these occasional victories because history tells us that most ransomware moneymaking\r\ncollectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and\r\nweaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation.\r\nA rough timeline of major ransomware operations and their reputed links over time.\r\nReinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake\r\none’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off\r\nthe scent or to temporarily direct their attention elsewhere.\r\nCybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational\r\nreboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as\r\nwhich types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a\r\nransom payment an affiliate should expect for bringing the group access to a new victim network.\r\nI put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five\r\nyears. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly\r\nhttps://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/\r\nPage 1 of 6\n\ndisparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll\r\nexplore that more in the latter half of this story.\r\nOne of the more intriguing and recent revamps involves DarkSide, the group that extracted a $5 million ransom\r\nfrom Colonial Pipeline earlier this year, only to watch much of it get clawed back in an operation by the U.S.\r\nDepartment of Justice.\r\nAfter acknowledging someone had also seized their Internet servers, DarkSide announced it was folding. But a\r\nlittle more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts\r\nquickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their\r\nattacks.\r\nDarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have\r\nextorted more than $100 million from victims. REvil’s last big victim was Kaseya, a Miami-based company\r\nwhose products help system administrators manage large networks remotely. That attack let REvil deploy\r\nransomware to as many as 1,500 organizations that used Kaseya.\r\nREvil demanded a whopping $70 million to release a universal decryptor for all victims of the Kaseya attack. Just\r\ndays later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when\r\nthe United States shares information on specific Russians involved in ransomware activity.\r\nA REvil ransom note.\r\nWhether that conversation prompted actions is unclear. But REvil’s victim shaming blog would disappear from\r\nthe dark web just four days later.\r\nhttps://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/\r\nPage 2 of 6\n\nMark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the\r\nREvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide.\r\nBut one thing is clear, Arena said: “Likely we will see them again unless they’ve been arrested.”\r\nLikely, indeed. REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of\r\nextorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof\r\nthat you can do evil and get off scot-free,” Gandcrab bragged.\r\nAnd wouldn’t you know it: Researchers have found GandCrab shared key behaviors with Cerber, an early\r\nransomware-as-a-service operation that stopped claiming new victims at roughly the same time that GandCrab\r\ncame on the scene.\r\nGOOD GRIEF\r\nThe past few months have been a busy time for ransomware groups looking to rebrand. BleepingComputer\r\nrecently reported that the new “Grief” ransomware startup was just the latest paintjob of DoppelPaymer, a\r\nransomware strain that shared most of its code with an earlier iteration from 2016 called BitPaymer.\r\nAll three of these ransom operations stem from a prolific cybercrime group known variously as TA505, “Indrik\r\nSpider” and (perhaps most memorably) Evil Corp. According to security firm CrowdStrike, Indrik Spider was\r\nformed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred to themselves\r\nas “The Business Club.”\r\nThe Business Club was a notorious Eastern European organized cybercrime gang accused of stealing more than\r\n$100 million from banks and businesses worldwide. In 2015, the FBI offered a standing $3 million bounty for\r\ninformation leading to the capture of the Business Club’s leader — Evgeniy Mikhailovich Bogachev. By the time\r\nthe FBI put a price on his head, Bogachev’s Zeus trojan and later variants had been infecting computers for nearly\r\na decade.\r\nhttps://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/\r\nPage 3 of 6\n\nThe alleged ZeuS Trojan author, Evgeniy Mikhaylovich Bogachev. Source: FBI\r\nBogachev was way ahead of his colleagues in pursuing ransomware. His Gameover Zeus Botnet was a peer-to-peer crime machine that infected between 500,000 and a million Microsoft Windows computers. Throughout\r\n2013 and 2014, PCs infected with Gameover were seeded with Cryptolocker, an early, much-copied ransomware\r\nstrain allegedly authored by Bogachev himself.\r\nCrowdStrike notes that shortly after the group’s inception, Indrik Spider developed their own custom malware\r\nknown as Dridex, which has emerged as a major vector for deploying malware that lays the groundwork for\r\nransomware attacks.\r\nhttps://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/\r\nPage 4 of 6\n\n“Early versions of Dridex were primitive, but over the years the malware became increasingly professional and\r\nsophisticated,” CrowdStrike researchers wrote. “In fact, Dridex operations were significant throughout 2015 and\r\n2016, making it one of the most prevalent eCrime malware families.”\r\nThat CrowdStrike report was from July 2019. In April 2021, security experts at Check Point Software found\r\nDridex was still the most prevalent malware (for the second month running). Mainly distributed via well-crafted\r\nphishing emails — such as a recent campaign that spoofed QuickBooks — Dridex often serves as the attacker’s\r\ninitial foothold in company-wide ransomware attacks, CheckPoint said.\r\nREBRANDING TO AVOID SANCTIONS\r\nAnother ransomware family tied to Evil Corp. and the Dridex gang is WastedLocker, which is the latest name of\r\na ransomware strain that has rebranded several times since 2019. That was when the Justice Department put a $5\r\nmillion bounty on the head of Evil Corp., and the Treasury Department’s Office of Foreign Asset Control\r\n(OFAC) said it was prepared to impose hefty fines on anyone who paid a ransom to the cybercrime group.\r\nAlleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI\r\nhttps://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/\r\nPage 5 of 6\n\nIn early June 2021, researchers discovered the Dridex gang was once again trying to morph in an effort to evade\r\nU.S. sanctions. The drama began when the Babuk ransomware group announced in May that they were starting a\r\nnew platform for data leak extortion, which was intended to appeal to ransomware groups that didn’t already have\r\na blog where they can publicly shame victims into paying by gradually releasing stolen data.\r\nOn June 1, Babuk changed the name of its leaks site to payload[dot]bin, and began leaking victim data. Since\r\nthen, multiple security experts have spotted what they believe is another version of WastedLocker dressed up as\r\npayload.bin-branded ransomware.\r\n“Looks like EvilCorp is trying to pass off as Babuk this time,” wrote Fabian Wosar, chief technology officer at\r\nsecurity firm Emsisoft. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once\r\nagain as PayloadBin in an attempt to trick victims into violating OFAC regulations.”\r\nExperts are quick to point out that many cybercriminals involved in ransomware activity are affiliates of more\r\nthan one distinct ransomware-as-a-service operation. In addition, it is common for a large number of affiliates to\r\nmigrate to competing ransomware groups when their existing sponsor suddenly gets shut down.\r\nAll of the above would seem to suggest that the success of any strategy for countering the ransomware epidemic\r\nhinges heavily on the ability to disrupt or apprehend a relatively small number of cybercriminals who appear to\r\nwear many disguises.\r\nPerhaps that’s why the Biden Administration said last month it was offering a $10 million reward for information\r\nthat leads to the arrest of the gangs behind the extortion schemes, and for new approaches that make it easier to\r\ntrace and block cryptocurrency payments.\r\nSource: https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/\r\nhttps://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/" ], "report_names": [ "ransomware-gangs-and-the-name-game-distraction" ], "threat_actors": [ { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438948, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fb9592c517340c4f12e2660a7c66b15f1833261.pdf", "text": "https://archive.orkl.eu/4fb9592c517340c4f12e2660a7c66b15f1833261.txt", "img": "https://archive.orkl.eu/4fb9592c517340c4f12e2660a7c66b15f1833261.jpg" } }