The post VIPERTUNNEL Hijacks Python for Stealthy Ransomware Access appeared first on Daily CyberSecurity.

Introduction

This blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates prominent or new threat groups.

The focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching ransomware attacks, and RansomHub, a prominent ransomware as a service (RaaS) operation run by Russian-speaking cybercriminals.

These two threat groups have been linked together through cooperation on intrusions and IOCs and TTPs shared by multiple CTI sources. The implication of this link is critical due to RansomHub being the most active ransomware gang and is working with a well-known sanctioned affiliate.

Who is RansomHub?

Active since February 2024, RansomHub is a RaaS operation formerly known as Cyclops and Knight and is run by Russian-speaking adversaries. It is currently used by more and more cybercriminals that are ex-affiliates of other RaaS operations. This includes the ALPHV/BlackCat RaaS and the LockBit RaaS, which have since shutdown or disappeared. This has made the RansomHub RaaS one of the most widespread ransomware families as of early 2025.

Due to having a high number of affiliates, the tools and TTPs observed before the final RansomHub payload is deployed can vary significantly. Each affiliate may have their own set of tools and TTPs to achieve the final objectives of data exfiltration and ransomware deployment.

Who is EvilCorp?

Evil Corp is an international cybercrime network sanctioned for orchestrating large-scale financial cyberattacks led by Maksim Yakubets. EvilCorp’s operations have evolved over time, expanding from Dridex banking trojan campaigns into developing ransomware like BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker.

Notably, Aleksandr Ryzhenkov, was identified by the National Crime Agency (NCA) as a high-ranking member of EvilCorp and also LockBit affiliate. Ryzhenkov became a LockBit affiliate around 2022, contributing to over 60 LockBit ransomware builds and attempting to extort more than $100 million from victims. This discovery aligns with Mandiant’s previous reporting on EvilCorp shifting to LockBit as well.

The NCA also found that EvilCorp maintains close ties with Russian intelligence agencies through Yakubets' father-in-law, Eduard Bendersky, a former FSB officer, who is suspected of using his influence to shield the group from prosecution in Russia.

One of the TTPs that makes EvilCorp standout from the rest of the RaaS affiliates is their own affiliation to the SocGholish JavaScript malware (aka FAKEUPDATES). If ransomware deployment takes place following a SocGholish infection, then the attackers responsible for the attack will be affiliated with EvilCorp.

Reported Connections Between EvilCorp and RansomHub

On 15 July 2024, Microsoft shared a post on X stating that RansomHub was observed being deployed in post-compromise activity by Manatee Tempest (which is Microsoft’s name for EvilCorp) following initial access via SocGholish (aka FakeUpdates) infections (which Microsoft tracks as Mustard Tempest).

On 15 January 2025, Guidepoint wrote a blog on a new Python backdoor used by an affiliate of RansomHub. Notably, the new Python backdoor was delivered by SocGholish. Therefore, this Python backdoor is another potential artifact worth monitoring for its connection to known EvilCorp-related malware.

The next day, on 16 January 2025, Google shared a report on EvilCorp (which Google tracks as UNC2165) that disclosed numerous tools and malware families they have been using to deliver RansomHub, including a Python backdoor dubbed VIPERTUNNEL (see the image below). The presence of a Python backdoor following a SocGholish infection is notable TTP that overlaps with the Guidepoint blog on RansomHub.

On 14 March 2025, Trend Micro disclosed further details that also confirmed the SocGholish malware is leading to the deployment of RansomHub ransomware. The operators of SocGholish are tracked as Water Scylla by Trend Micro. The operators distribute SocGholish via the Keitaro Traffic Direction System (TDS), a legitimate service used for marketing campaigns. Trend Micro also observed SocGholish dropping the same custom Python backdoor (aka VIPERTUNNEL) as well.

So What?

EvilCorp has been under US sanctions since 2019, making it illegal for affected organisations to pay ransoms to them without facing potential fines from the US Treasury’s Office of Foreign Assets Control (OFAC). Despite these sanctions, EvilCorp has continued its cybercriminal activities by adapting its tactics to include rebranding their ransomware and becoming an affiliate of RaaS operations, such as LockBit and RansomHub. 

The key indicator of EvilCorp's involvement in ransomware attacks continues to be the use of the SocGholish malware, which employs drive-by downloads masquerading as web browser software updates to gain initial access to systems.

EvilCorp’s affiliation with RansomHub raises the possibilities that RansomHub may soon face sanctions similar to those imposed on EvilCorp. Consequently, any victim that pays a ransom to RansomHub could become significantly riskier for cyber insurance organisations, incident responders, and ransomware negotiators, as they may inadvertently violate sanctions and face legal repercussions.

Given EvilCorp's prominence as a target for international law enforcement, its association with RansomHub is likely to draw increased scrutiny. This could result in RansomHub becoming the focus of future law enforcement actions, including potential takedowns and additional sanctions, further complicating the landscape for entities involved in ransomware response and mitigation.

There is also the increased likelihood that RansomHub will now rebrand. As we saw in the BlackBasta Leaks, ransomware groups pay close attention to the news, CTI reports, and even posts on X and even blogs by researchers. This association to EvilCorp and threat of sanctions is an issue for ransomware groups as it impacts their business model and makes earning harder. Therefore, by linking the two entities together CTI analysts can impose cost on these cybercriminals.

References:

1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
2. https://www.bankinfosecurity.com/blogs/ransomhub-hits-powered-by-ex-affiliates-lockbit-blackcat-p-3703
3. https://www.ransomware.live/group/ransomhub#ttps
4. https://home.treasury.gov/news/press-releases/sm845
5. https://web.archive.org/web/20200213115628/https:/www.nationalcrimeagency.gov.uk/news/international-law-enforcement-operation-exposes-the-world-s-most-harmful-cyber-crime-group
6. https://www.crowdstrike.com/en-us/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
7. https://web.archive.org/web/20241004104429/https:/www.nationalcrimeagency.gov.uk/news/further-evil-corp-cyber-criminals-exposed-one-unmasked-as-lockbit-affiliate
8. https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0206-DEV-0243
9. https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates
10. https://x.com/msftsecintel/status/1812932754947911780
11. https://www.microsoft.com/en-gb/security/security-insider/manatee-tempest
12. https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
13. https://services.google.com/fh/files/misc/threat_horizons_report_h1_2025.pdf
14. https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
15. https://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html

The scourge of ransomware continues primarily because of three main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.

• RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.
• Cryptocurrency enables cybercriminals to receive funds from victims around the world without the option to freeze or refund them due to the immutable nature of the virtual funds.
• Safe havens are countries that permit cybercriminals to launch attacks without immediate fear of arrest, enabling them to earn vast fortunes through ransomware campaigns.

With these three challenges in mind, law enforcement and governments have a very difficult job to do when it comes to fighting ransomware but fight it they must. In this blog we shall recall what counter-ransomware activities took place in 2024, analyse their effectiveness, and assess how the landscape shall evolve as a result.

A podcast version of this blog is also available here.

Ransomware Operator Arrests and Sanctions

During 2024, there were significant disruption operations by law enforcement and financial authorities targeting individuals behind ransomware campaigns (see the Table below). The main focus of 2024 for Western law enforcement was squarely on the LockBit RaaS and its affiliates as it was the largest and highest earning ransomware operation to date.

Several key players of the ransomware ecosystem were arrested, including the main developer of LockBit ransomware. Interestingly, Russian law enforcement also decided to arrest ransomware threat actors located in Moscow and Kaliningrad as well.

The ransomware ecosystem has fragmented due to the law enforcement disruptions of the largest players, such as ALPHV/BlackCat and LockBit. In the case of ALPHV/BlackCat, the operators staged a law enforcement takedown as they put up a fake seizure notice as part of an exit scam in March 2024 after the attack on UnitedHealth.

Following these disruptions, some affiliates have migrated to less effective strains or launched their own strains. This includes Akira and RansomHub at the top of the list as well as Hunters International and PLAY.

Cryptocurrency Exchanges Disrupted

During 2024, law enforcement seized funds from and sanctioned a number of cryptocurrency exchanges and individuals running payment processors using cryptocurrency (see the Table below).

One of the most interesting disclosures this year came from the UK National Crime Agency (NCA) around Operation Destablise. The NCA linked payments to ransomware gangs to money laundering networks used by Russian oligarchs to covertly purchase property and Russia Today, the state-run media organization, to covertly fund pro-Russia foreign entities.

Another notable investigation in 2024 was when the US Treasury sanctioned more Russian cryptocurrency exchanges, such as PM2BTC and Cryptex, that led to money launderers that facilitate the cashing out of ransom payments being arrested by Russian law enforcement.

Safe Havens Enabling Ransomware

While ransomware is a global problem, there are only a few countries that are to blame for this rapid expansion of the ransomware ecosystem. The state that is blamed the most for preventing many ransomware operators from facing justice is Russia. There are explicit rules posted to Russian-speaking cybercrime forums that state as long as members avoid targeting Russia and the Commonwealth of Independent States (CIS), they are free to operate.

The Russian ransomware safe haven theory was further proven following sanctions levied against Evil Corp by the UK, US, and Australia. One of the sanctioned men connected to Evil Corp was Eduard Benderskiy, a former Russian federal security service (FSB) official. Benderskiy is reportedly the father-in-law of Maksim Yakubets, the leader of Evil Corp, an organized cybercrime group responsible for multiple ransomware strains including BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker. In total, Evil Corp has reportedly extorted at least $300 million from victims globally, according to the UK NCA. It is now clear that Evil Corp has protection from a highly connected Russian FSB official who has also been involved in multiple overseas assassinations on behalf of the Kremlin, according to Bellingcat investigators.

While a number of ransomware operators were arrested in 2024 and some were extradited to the US, the work done by law enforcement specializing in cybercrime was put in the spotlight during the August 2024 prisoner swap. Multiple countries decided to release cybercriminals, spies and an assassin as part of a historic prisoner exchange with Russia at an airport in Ankara, Turkey. The US negotiated the release of 16 people from Russia, including five Germans as well as seven Russian citizens who were political prisoners in their own country.

Notably, from a cybercrime intelligence perspective, the Russian nationals released from the West included the infamous cybercriminals Roman Seleznev and Vladislav Klyushin. The latter, Klyushin, was sentenced in 2023 to nine years in US prison after he was caught in a $93 million stock market cheating scheme that involved hacking into US companies for insider knowledge. The other cybercriminal, Seleznev, was sentenced to 27 years in prison in 2017 for stealing and selling millions of credit card numbers from 500 businesses using point-of-sale (POS) malware and causing more than $169 million in damage to small businesses and financial institutions, including those in the US.

In 2024, we saw several more Russian nationals get extradited to the US after being arrested by law enforcement in the country they were residing in. This includes the Phobos operator living in South Korea and the LockBit developer living in Israel. This follows others arrested in previous years such as a TrickBot developer arrested in South Korea as well as the two LockBit affiliates extradited to the US. There is a potential that these Russian nationals involved in ransomware could be used in prisoner exchanges in the future.

Further, another curious trend in 2024 was that some Russians inside Russia, which is firmly considered a safe haven for ransomware gang, did get arrested. This includes the SugarLocker operators arrested in Moscow and the LockBit affiliate Wazawaka who was arrested in Kaliningrad. This is alongside the money launderers arrested around Russia linked to the Cryptex exchange.

The arrests of Russian nationals in Russia for ransomware activities appear to be more symbolic than a true crackdown on this type of activity. This is because there are several dozen Russian-speaking ransomware gangs that continue to operate, as well as a plethora of other types of cybercrime in the Russian-speaking underground.

Outlook

In 2024, there was lots of significant action by law enforcement to shake up the ransomware economy. One of the main successes of the notable Operation Cronos action taken against LockBit was the sowing of distrust and disharmony in the ransomware ecosystem. Despite the admins of LockBit trying to recover, their reputation and army of affiliates have been smashed.

Many of Russian law enforcement activities could all be related to the costs of the Russian invasion of Ukraine. Russian authorities seizing funds of the illicit cryptocurrency exchanges could be to pay for the war in Ukraine and they could be recruiting arresting cybercriminals for offensive cyber operations related to the war in Ukraine. The true motivations of Russian law enforcement arresting these specific ransomware operators but allowing others to operate are unclear. The cybercriminals could also simply have not paid their protection money or lack connections in the FSB like Evil Corp has.

Due to the fall of LockBit and ALPHV/BlackCat in 2024, there has been a rise of other ransomware groups like RansomHub and Akira to fill the vacuum. However, the rate of attacks by these emerging groups is still noticeably lower than when LockBit was operating at full force. This should be perceived as a success for law enforcement operations in 2024 due to the overall number of ransomware attacks lowering, which we should all be thankful for.