Darktrace has recently observed several targeted intrusions associated with Evil Corp, an advanced cyber-criminal group recently in the headlines after a surge in WastedLocker ransomware cases. The group is believed to have targeted hundreds of organizations in over 40 countries, demanding ransoms of $500,000 to $1m to unlock computer files it seizes. US authorities are now offering a $5m reward for information leading to the arrest of the group’s leaders — understood to be the largest sum of money ever offered for a cyber-criminal.

​

Thanks to its self-learning nature, Darktrace's AI detected these intrusions without the use of any threat intelligence or static Indicators of Compromise (IoCs). This blog describes the techniques, tools and procedures used in multiple intrusions by Evil Corp – also known as TA505 or SectorJ04

​

With the right technologies in place, you can secure the perimeter around your police departments' facility while increasing your efficiency and effectiveness in protecting the public.

​

​

Key Takeaways

​

​

• The threat actor was reusing TTPs as well as infrastructure across multiple intrusions

• Some infrastructure was only observed in individual intrusions

• While most WastedLocker reports focus on the ransomware, Darktrace has observed Evil Corp conducting data exfiltration

• The attacker used various living-off-the-land techniques for lateral movement

• Data exfiltration and ransomware activity took place on weekends, likely to reduce response capabilities of IT teams

• Although clearly an advanced actor, Evil Corp can be detected and stopped before encryption ensues

​