{
	"id": "3eaa5963-c488-42f1-899b-53f2a37125b3",
	"created_at": "2026-04-06T00:06:40.925655Z",
	"updated_at": "2026-04-10T03:33:15.514521Z",
	"deleted_at": null,
	"sha1_hash": "caa4abbdec9070ccf9f62615f1e4f85b7117f93f",
	"title": "Evil Corp demands $40 million in new Macaw ransomware attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2473887,
	"plain_text": "Evil Corp demands $40 million in new Macaw ransomware attacks\r\nBy Lawrence Abrams\r\nPublished: 2021-10-21 · Archived: 2026-04-05 15:10:42 UTC\r\nEvil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making\r\nransom payments.\r\nThe Evil Corp hacking group, also known Indrik Spider and the Dridex gang, has been involved in cybercrime activities\r\nsince 2007, but mostly as affiliates to other organizations.\r\nOver time, the group began focusing on their own attacks by creating and distributing a banking trojan known as Dridex in\r\nphishing attacks. \r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nMoving to ransomware\r\nAs ransomware attacks became increasingly more profitable, Evil Corp launched an operation called BitPaymer, delivered\r\nvia the Dridex malware to compromised corporate networks.\r\nThe hacking group's criminal activity ultimately led them to be sanctioned by the US government in 2019.\r\nDue to these sanctions, ransomware negotiation firms will no longer facilitate ransom payments for operations attributed to\r\nEvil Corp.\r\nTo bypass US sanctions, Evil Corp began creating limited use ransomware operations under various names such as\r\nWastedLocker, Hades, Phenoix Locker, and PayloadBin.\r\nEvil Corp began renaming their ransomware operations to different names such as WastedLocker, Hades, Phoenix\r\nCryptoLocker, and PayLoadBin.\r\nOther ransomware families that are believed but not proven to be affiliated with Evil Corp is DoppelPaymer, which was\r\nrecently rebranded as Grief.\r\nIntroducing Macaw Locker\r\nThis month, Olympus and Sinclair Broadcast Group had their operations severely disrupted by weekend ransomware\r\nattacks.\r\nFor Sinclair, it caused TV broadcasts to be cancelled, different shows to air, and newscasters to report their stories with\r\nwhiteboards and paper.\r\nThis week, it was discovered that both attacks were conducted by a new ransomware known as Macaw Locker.\r\nIn a conversation with Emsisoft CTO Fabian Wosar, BleepingComputer was told that, based on code analysis,\r\nMacawLocker is the latest rebrand of Evil Corp's ransomware family.\r\nBleepingComputer has also learned from sources in the cybersecurity industry that the only two known Macaw Locker\r\nvictims are Sinclair and Olympus.\r\nSources also shared the private Macaw Locker victim pages for two attacks, where the threat actors demand a 450 bitcoin\r\nransom, or $28 million, for one attack and $40 million for the other victim.\r\nIt is unknown what company is associated with each ransom demand.\r\nThe Macaw Locker ransomware will encrypt victims' files and append the .macaw extension to the file name when\r\nconducting attacks.\r\nWhile encrypting files, the ransomware will also create ransom notes in each folder named macaw_recover.txt. For each\r\nattack, the ransom note contains a unique victim negotiation page on the Macaw Locker's Tor site and an associated\r\ndecryption ID, or campaign ID, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/\r\nPage 3 of 5\n\nMacaw Locker ransom note\r\nThe gang's dark web negotiation site contains a brief introduction to what happened to the victim, a tool to decrypt three\r\nfiles for free, and a chatbox to negotiate with the attackers.\r\nMacaw Locker Tor payment negotiation site\r\nNow that Macaw Locker has been exposed as an Evil Corp variant, we will likely see the threat actors rebrand their\r\nransomware again.\r\nThis constant cat-and-mouse game will likely never end until Evil Corp stops performing ransomware attacks or sanctions\r\nare lifted.\r\nHowever, neither of those scenarios is likely to take place in the immediate future.\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/"
	],
	"report_names": [
		"evil-corp-demands-40-million-in-new-macaw-ransomware-attacks"
	],
	"threat_actors": [
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9",
			"created_at": "2023-01-06T13:46:38.839083Z",
			"updated_at": "2026-04-10T02:00:03.117987Z",
			"deleted_at": null,
			"main_name": "INDRIK SPIDER",
			"aliases": [
				"Manatee Tempest"
			],
			"source_name": "MISPGALAXY:INDRIK SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434000,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/caa4abbdec9070ccf9f62615f1e4f85b7117f93f.pdf",
		"text": "https://archive.orkl.eu/caa4abbdec9070ccf9f62615f1e4f85b7117f93f.txt",
		"img": "https://archive.orkl.eu/caa4abbdec9070ccf9f62615f1e4f85b7117f93f.jpg"
	}
}