The new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US OFAC.

The Evil Corp gang, also known as Indrik Spider and the Dridex gang, started as an affiliate for the ZeuS botnet. They formed a group that focused on distributing the banking trojan and downloader called Dridex via phishing emails.

Evil Corp began renaming their ransomware operations to different names such as WastedLocker, Hades, and Phoenix to bypass these sanctions.

When installed, the ransomware will append the .PAYLOADBIN extension to encrypted files. The ransom note is named ‘PAYLOADBIN-README.txt’ and states that the victim’s “networks is LOCKED with PAYLOADBIN ransomware.”After analysing the new ransomware, is the ransomware is a rebranding of Evil Corp’s previous ransomware operations.

They had a gang rebranding and just took the opportunity.

As the ransomware is now attributed to a sanctioned hacking group, most ransomware negotiation firms will likely not help facilitate payments for victims affected by the PayloadBIN ransomware