IE 11 is not supported. For an optimal experience visit our site on another browser.

Ransomware hackers sidestep U.S. sanctions with a new trick: Rebranding

Ransomware groups are quickly changing names to sidestep sanctions and ensure victims continue to pay up.

Ransomware hackers sanctioned by the United States have learned to rebrand themselves and their software, a strategy meant to sidestep the curbs and make it more likely that victims pay up. 

It’s the most recent development in what has become a burgeoning chase between U.S. authorities and cybercriminals who have figured out ways to evade crackdowns and sustain their multibillion-dollar hacking industry.

A study published Thursday by the cybersecurity company Mandiant found that a notorious Russian cybercriminal gang changed its tactics almost immediately after a Department of Treasury advisory. The gang, called Evil Corp, was already under sanctions when the department announced it was responsible for a strain of ransomware software called WastedLocker.

Evil Corp quickly stopped using the WastedLocker software and quickly developed variants of it with different names and graphics, Mandiant’s analysis found. Those new strains of ransomware were among the most prevalent over the past two years, though it wasn’t always clear whether Evil Corp was behind them.

Kimberly Goody, Mandiant’s director of cybercrime analysis, said that pivot was clearly designed to keep the flow of money coming from American victims.

“They can kind of hide behind this very well-known public brand in order to receive payments from their victims, most of whom, quite frankly, are not going to have a clue this is tied to any sanctioned actor,” she said.

Criminal hackers use ransomware to extort victims by encrypting their computer networks and demanding payment for a digital key to make them usable again. They also often threaten to publish the files they’ve hacked if a victim doesn’t pay. The number of ransomware attacks rose sharply during the pandemic, with hackers extorting an estimated $14 billion in cryptocurrency last year.

Last fall, the White House declared Treasury Department sanctions against cybercriminals to be a key component of its fight against ransomware, hoping that if American victims are less likely to pay, hackers may be less inclined to attack them.

But ransomware victims rarely have any idea who has attacked them besides the nickname of the software that has infected their computers. If sanctioned criminals undergo a minor rebrand of their software, they can trick victims into thinking they’re not violating sanctions by paying.

The Treasury Department has only issued a handful of cybercrime sanctions, and they can be difficult to navigate. In September, it issued an advisory that Americans could face civil penalties for sending ransomware payments to a sanctioned hacker, even if the victim didn’t know their attacker was sanctioned. Some of the sanctions against ransomware hackers are geographically broad, including against paying hackers affiliated with the Iranian or North Korean governments, even though victims aren’t likely to know where their attackers are coming from.

In an emailed statement, a Treasury Department spokesperson said that “we encourage victims and related companies to report incidents and fully cooperate with law enforcement as soon as possible” to minimize the chances they would face civil penalties.

“Treasury continues to strongly discourage the payment of cyber ransom or extortion demands,” the statement said.

Bill Siegel, CEO of Coveware, a company that helps victims of ransomware — including sometimes helping them pay their attackers if doing so doesn’t violate sanctions — said his company has noticed ransomware hackers changing up the design of their programs if they’re sanctioned.

“They know that brand is basically cooked, and they need to either find another line or work or try and rebrand themselves to obfuscate their identity and hope that nobody links the two together,” he said.

Siegel said he’s repeatedly found himself advising victims that their attackers are likely under sanctions, even though they’ve rebranded.

“It is very hard. We have had to pay our lawyers a great deal of money to help us establish these standards internally,” he said.

“We typically recuse ourselves from those cases because we know we can’t help them, we just say ‘Sorry you’re in this situation but there’s nothing we can do,’” he said. “You can make a decision to pay, but we can’t be a part of that.”