HC3 Warns Health Sector Of Cybercriminal Gang Evil Corp

A warning has been issued by the Health Sector Cybersecurity Coordination Center (HC3) to advise the healthcare and public health sector (HPH) of the dangers of Evil Corp. Evil Corp is a cybercrime syndicate based in Russia and has been launching attacks since 2009. The group is said to be responsible for the several ransomware and malware variants including Dridex banking Trojan, BitPaymer, Hades, Phoenixlocker, WastedLocker, SocGholish, GameOver Zeus, and JabberZeus. Evil Corp’s malware and ransomware variants are used primarily on the healthcare sector. Most notably, the 2017 BitPaymer ransomware attack on the National Health Service Lanarkshire Board in Scotland. In recent years, ransomware attacks and theft of confidential information have been the primary methods of operation for Evil Coorp.

In the alert, the HC3 warns how members of Evil Corp are known to work in collaboration with Russian intelligence agencies. The HC3 notes that the group may carry out attacks at the request of the Russian government. According to the HC3, members of Evil Corp are driven by both personal greed and state political agenda. The U.S. federal government has identified several key members of the gang and has placed an active bounty for information relating to their operations. The HC3 notes Maksim Yakubets as the leader of Evil Corp and states he is responsible for managing and monitoring the group’s operations with the Russian government. Yakubets was previously charged with conspiracy, computer hacking, wire fraud, and bank fraud by the grand jury in 2019. The gang is connected to some of the largest ransomware and cybercrime operations globally and has access to various third-party malware strains, such as the TrickBot and Emotet Trojans. 

The HC3 contend that Evil Corp poses a significant threat to the health sector. Healthcare organizations are popular targets for ransomware attacks due to the nature of their operations and the increased likelihood that they will pay a ransom to restore operations. PHI is frequently sold on the dark web to any individuals who want to make use of it for fraudulent purposes. Instead of spending the time and money to conduct their own research, foreign governments often steal intellectual property and research from other governments as it is far more cost-effective. 

As a result of the wide variety of malware and ransomware variants and unique tools utilized by Evil Corp, multiple defensive measures and mitigations are required to identify and stop cyberattacks. The HC3 has listed the measures in a multitude of documents including the CISA Dridex Malware Alert, the CISA Ransomware Guide, and the DHS Dridex P2P Malware Alert.