{ "id": "c989ab95-929b-4be5-be46-1a58a9f1fb93", "created_at": "2026-04-06T02:12:05.065803Z", "updated_at": "2026-04-10T03:33:15.538596Z", "deleted_at": null, "sha1_hash": "ee75bc2e2e73b421136e09ad9b6db6b163b38e26", "title": "Evil Corp switches to Hades ransomware to evade sanctions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2130721, "plain_text": "Evil Corp switches to Hades ransomware to evade sanctions\r\nBy Sergiu Gatlan\r\nPublished: 2021-03-25 · Archived: 2026-04-06 01:36:53 UTC\r\nHades ransomware has been linked to the Evil Corp cybercrime gang who uses it to evade sanctions imposed by the\r\nTreasury Department's Office of Foreign Assets Control (OFAC).\r\nEvil Corp (aka the Dridex gang or INDRIK SPIDER) has been active since at least 2007 and it is known for distributing the\r\nDridex malware.\r\nThey later shifted to the ransomware \"business,\" first using Locky ransomware and then their own ransomware strain known\r\nas BitPaymer, deployed in attacks until 2019.\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nUS sanctions for financial damages of more than $100 million\r\nThe U.S. Treasury Department sanctioned Evil Corp gang members in December 2019 after being charged for using Dridex\r\nto cause over $100 million in financial damages.\r\nBecause of this, their victims face a tricky situation if they want to pay Evil Corp's ransom as they would also violate the\r\nsanctions.\r\nOFAC also warned in October 2020 that orgs assisting ransomware victims in making ransom payments to sanctioned threat\r\nactors also face risks as their actions could violate regulations.\r\nStarting with June 2020, Evil Corp refreshed its tactics to circumvent the sanctions, deploying its new WastedLocker\r\nransomware in attacks targeting enterprise orgs.\r\nWearable device maker Garmin is one of the high-profile targets Evil Corp hit with its WastedLocker ransomware. The\r\ncompany had to shut down some of its connected services and call centers following the attack.\r\nNew tooling helps bypass sanctions\r\nCrowdStrike now linked the cybercrime gang to Hades ransomware based on \"significant code overlap.\" This new,\r\npreviously unattributed malware tooling is helping Evil Corp bypass sanctions to monetize their attacks.\r\nHades ransomware is a 64-bit compiled variant of WastedLocker upgraded with supplementary code obfuscation and a few\r\nminor feature changes.\r\n\"Hades ransomware shares the majority of its functionality with WastedLocker; the ISFB-inspired static configuration,\r\nmulti-staged persistence/installation process, file/directory enumeration, and encryption functionality are largely\r\nunchanged,\" CrowdStrike said.\r\n\"Hades did receive minor modifications, and the removed features included those that were uniquely characteristic of\r\nINDRIK SPIDER’s previous ransomware families — WastedLocker and BitPaymer.\"\r\nWhen encrypting a victim's systems, Hades creates a ransom note named 'HOW-TO-DECRYPT-[extension].txt' resembling\r\nransom notes dropped by REvil ransomware.\r\nThe ransom notes contain a URL that directs the victims to a Tor site with info about the attack and a Tox messenger address\r\nthey can use to contact Evil Corp's operators.\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/\r\nPage 3 of 5\n\nHades Tor site (BleepingComputer)\r\n\"INDRIK SPIDER’s move to this ransomware variant also came with another shift in tactics: the departure from using email\r\ncommunication and the possibility of exfiltrating data from victims to elicit payments,\" CrowdStrike added.\r\nBleepingComputer reported that Hades ransomware was used to encrypt trucking giant Forward Air's systems in December\r\n2020.\r\nWhile there aren't many Hades ransomware attacks being reported by affected organizations, Evil Corp victims have been\r\nusing the ID-Ransomware service to check if their systems were hit by Hades ransomware since the group started using the\r\nnew strain.\r\nImage: ID-Ransomware\r\n\"The continued development of WastedLocker ransomware is the latest attempt by the notorious adversary to distance\r\nthemselves from known tooling to aid them in bypassing the sanctions imposed upon them,\" CrowsStrike concluded.\r\n\"The sanctions and indictments have undoubtedly significantly impacted the group and have made it difficult for INDRIK\r\nSPIDER to successfully monetize their criminal endeavors.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/\r\nhttps://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/" ], "report_names": [ "evil-corp-switches-to-hades-ransomware-to-evade-sanctions" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441525, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee75bc2e2e73b421136e09ad9b6db6b163b38e26.pdf", "text": "https://archive.orkl.eu/ee75bc2e2e73b421136e09ad9b6db6b163b38e26.txt", "img": "https://archive.orkl.eu/ee75bc2e2e73b421136e09ad9b6db6b163b38e26.jpg" } }