Evil Corp Release New Macaw Locker Ransomware To Evade US Sanctions Again

Evil Corp has launched a new strain called Macaw Locker Ransomware to evade US sanctions which in the past has prevented victims from making ransom payments. Evil Corp, which has gone under a number of monikers such as Indrik Spider and the Dridex gang, is a veteran of the cybercrime world. It has been active since 2007, usually as an affiliate to other cybercrime outfits.

As time passed, Evil Corp began to shift to their own attacks by creating their own malware. At their peak, their signature strain was a banking trojan known as Dridex us in phishing attacks.

As ransomware attacks took over the cybercrime scene as the most profitable hacking vehicle, Evil Corp launched BitPaymer, delivered via the Dridex malware to compromised corporate networks.

The gang’s success and notoriety lead to them being sanctioned by the US government in 2019.

Due to these sanctions, ransomware negotiation firms will no longer facilitate ransom payments for operations attributed to Evil Corp.

To bypass the restrictions, Evil Corp created a plethora of limited-use ransomware strains and operations under names like WastedLocker, Hades, Phenoix Locker, and PayloadBin.


Macaw Loader Ransomware Analysis

Last week, SaferNet reported that Olympus and Sinclair broadcasting group has their operations disrupted by a ransomware attack.

For Sinclair, this mean several broadcasts needed to be canceled, old shows were rerun, and newscasters had to report their stories with whiteboards and paper.

It was unknown what strain caused these attacks at the time, with most sources pointing to Black Matter Ransomware. However, it is now understood that the strain was Evil Corp’s new strain, Macaw Locker Ransomware

Emsisoft CTO Fabian Wosan explained in a conversation with researchers at Bleeping Computer that he made the discovery based on a code analysis of Macaw Locker Ransomware versus other strains in Evil Corp’s ransomware family.

It is currently believed that Sinclair and Olympus are the only victims of Macaw Locker Ransomware thus far.

Sources also shared the private Macaw Locker Ransomware victim pages for two attacks, where the threat actors demand a 450 bitcoin ransom, or $28 million, for one attack and $40 million for the other victim.

It is unknown what company is associated with each ransom demand.

The Macaw Locker ransomware will encrypt victims’ files and append the .macaw extension to the file name when conducting attacks.

While encrypting files, the ransomware will also create ransom notes in each folder named macaw_recover.txt. For each attack, the ransom note contains a unique victim negotiation page on the Macaw Locker Ransomware’s Tor site and an associated decryption ID, or campaign ID, as shown below.

The gang’s dark web negotiation site contains a brief introduction to what happened to the victim, a tool to decrypt three files for free, and a chatbox to negotiate with the attackers.

Now that Macaw Locker Ransomware has been exposed as an Evil Corp variant, we will likely see the threat actors rebrand their ransomware again.

As stated by researchers at Bleeping computer, “This constant cat-and-mouse game will likely never end until Evil Corp stops performing ransomware attacks or sanctions are lifted.”

Both of these events are unlikely.



Ransomware is a crowded scene, with new threats rising and falling almost every day. It is important that business owners and families have the best tools for the job when it comes to protecting their devices. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.