PayloadBIN Ransomware

PayloadBIN Ransomware is a new threat being deployed against computer users. Being a part of the ransomware class of threats, PayloadBIN initiates an encryption routine on compromised systems in order to lock the files stored there. The threat actors would then extort their victims for money in exchange for providing a decryption key and software that could potentially restore the data. Encrypted files will be marked by having '.PAYLOADBIN' appended to their original names as a new extension. The ransom note fo the threat is then delivered as a text file named 'PAYLOADBIN-README.txt.' The instructions from the cybercriminals are extremely short simply telling their victims to establish communication by writing a message to the two provided email addresses.

PayloadBIN Ransomware Attribution

Functionally, PayloadBIN Ransomware doesn't show any distinct improvements or modifications when compared to other current threats of this type. Determining who the hackers responsible for unleashing the threat is a whole different matter altogether. After all, judging solely by the name one would assume that the threat belongs to the 'payload bin' group. This group, however, is a rebrand of the Babuk gang after it announced its intentions to quit the ransomware sector and instead focus on data theft and extortion. The hackers took this decision after managing to breach the Metropolitan Police Department in Washington, DC, and harvest various unencrypted information.

Indeed, analysis of PayloadBIN actually shows close connections to the ransomware threats associated with another cybercriminal organization named Evil Corp. Ever since the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) imposed sanctions on Evil Corp, the hackers have been relying on numerous rebrands to continue their operations. This latest operation is just such an example with Evil Corp repackaging its WastedLocker Ransomware under a different name in an attempt to impersonate the ex-Babuk gang. 

WIth PayloadBIN now being attributed with high confidence to a sanctioned hacking group, it is extremely unlikely for ransomware negotiation companies to continue engaging with victims of the threat and facilitate any additional ransom payments.