Evil Corp Cybercriminal Syndicate Poses Threat to Healthcare Cybersecurity

August 31, 2022 - The Health Sector Cybersecurity Coordination Center (HC3) issued a threat profile about Evil Corp and warned that the prolific group could threaten healthcare cybersecurity.

The Russian-based cybercriminal syndicate has been operational since 2009 and is responsible for creating some of the most powerful ransomware and malware variants. The group maintains strong connections to the Russian government and other cybercriminal gangs.

HC3 described the group as “exceptionally aggressive and capable.” Considering the group’s past crimes, this description seems highly accurate. In 2019, Evil Corp used Dridex malware to harvest login credentials from hundreds of banks, raking in more than $100 million in stolen funds.

To this day, the FBI and State Department are offering $5 million for information leading to the arrest and conviction of Evil Corp’s leader, Maksim Yakubets. The sum is the largest reward for a cybercriminal ever offered.

Evil Corp made its name by developing Dridex, which is a “multifunctional malware variant capable of impacting the confidentiality and availability of protected data and systems directly related to business operations,” HC3 explained.

The variant has been used against banking and healthcare information. The sensitivity and value of healthcare data on the dark web make it an appealing target for threat actors.

“Many ransomware operators have found the health sector to be an enticing target as, due to the nature of their operations, they are likely to pay some form of ransom to restore operations,” the threat profile continued.

“Healthcare organizations are particularly susceptible to data theft as personal health information (PHI) is often sold on the dark web to those looking to leverage it for fraudulent purposes.”

Considering its suspected ties with the Russian government, HC3 noted that it is “entirely plausible” that Evil Corp could be “tasked with acquiring intellectual property from the U.S. health sector” since it is more cost-effective to steal research and intellectual property rather than conduct it themselves. For this reason, the healthcare sector should remain vigilant.

The group is financially motivated and usually conducts attacks via digital extortion, ransomware, and cyberattacks that facilitate the theft of sensitive information. The profile noted that Evil Corp stands out because of how they blur the lines between cybercriminals and state-sponsored activities.

“They are known to cooperate with Russian intelligence agencies, including but not necessarily limited to the FSB. While this doesn’t make them unique, the extent to which their activities are driven by both personal greed and a state political agenda gives them one of the widest arrays of potential motivations of all the major cyber threat actors in the world,” HC3 stated.

“There is speculation that Evil Corp is simply a front organization for Russian intelligence, but it should be noted that they have stolen large sums of money from their victims over their history of operations.”

HC3 outlined the group’s leadership, motivations, tactics, tools, and relationships in great detail throughout the brief. However, the threat profile stopped short of providing mitigation tactics.

“It is not practical to attempt to lay out a comprehensive list of defense and mitigations recommendations and data for a group such as Evil Corp, which maintains a wide array of custom capabilities that are continually being developed,” the profile stated.

As much as experts do know about the group, it is the unpredictability of Evil Corp that makes them such a significant threat. Instead of providing specific tips, HC3 linked to various alerts, mitigations, Yara rules, and other defensive information to help healthcare organizations learn more about Evil Corp and act accordingly.