Cybercriminals always try to stay one step ahead of law enforcement and computer security experts, developing new tactics, tweaking existing malware, and coming up with creative ways to monetize their activities.

In recent years, hacker groups have mostly focused on ransomware, which is a type of malware that employs encryption to lock the victim's data until a ransom is paid. In 2021, a new ransomware threat emerged: PayloadBin. So what is PayloadBin and how can you protect against it?

What Is PayloadBin Ransomware and How Does It Work?

Like most ransomware, PayloadBin is deployed through email or fake browser updates.

So, for example, if an employee of a large company downloads and opens a malicious email attachment, the malware spreads through the entire network and encrypts all available files. The process is similar with malicious browser updates, which can sometimes appear on legitimate websites.

Once executed on the victim's computer, the malware locks files, encrypts them, and appends the .PAYLOADBIN extension to each file.

To lock files, PayloadBin uses a combination of Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA) encryption algorithms and generates a unique key for each file—this is the preferred encryption method for most cybercriminals.

Once the files are encrypted, the target is left with a ransom note. The ransom note usually contains some sort of warning, and an email address (hackers typically use end-to-end encrypted email services), which the victim is told to use to contact the attackers and submit the ransom payment.

Who Is Behind PayloadBin Ransomware?

Hooded figure on a laptop

After breaching the Metropolitan Police Department in Washington, D.C., in early 2021, the hacker group Babuk said it would move beyond ransomware attacks and focus on data theft instead.

In May 2021, Babuk rebranded as "payload bin," redesigning its data leak website. This led many to conclude that PayloadBin was essentially a rebranding of Babuk Locker, a ransomware variant this group has used to to target universities, hospitals, and small businesses.

RELATED: What Is Babuk Locker? The Ransomware Gang You Should Know About

According to Bleeping Computer and several cybersecurity experts, an analysis of PayloadBin shows that Evil Corp, and not Babuk, is behind the ransomware.

Evil Corp is one of the most successful hacker groups in the world, having stolen hundreds of millions from corporations, banks, and financial institutions across the globe.

The United States Justice Department in 2019 filed charges against Evil Corp's alleged leader Maksim Yakubets, while the Treasury Department's Office of Foreign Assets Control (OFAC) issued sanctions against the group.

The sanctions also apply to any entity that pays a ransom or participates in the payment, which has forced Evil Corp to rebrand. Bleeping Computer, Fabian Wosar of Emsisoft, and Michael Gillespie of ID Ransomware all believe PayloadBin is just Evil Corp's latest attempt to evade sanctions.

How to Protect Against PayloadBin Ransomware

The vast majority of ransomware gangs, including Evil Corp, do not target individuals, but rather large and mid-sized organizations. However, attackers often take advantage of employees' lack of knowledge to deploy malware, which highlights the importance of cybersecurity training.

When it comes to cybersecurity in general, prevention is absolutely key. This means that you should never click on suspicious links, open attachments from unknown email addresses, or download a software update without double checking if it is legitimate first.

For employers and businesses, investing in robust cyber protection is a necessity, especially today when millions of workers have made what appears to be a permanent transition to work from home, exposing companies to additional risk.

Even the best preventive measures can fail, so organizations should strive to regularly update software, use reliable technologies, and frequently back up their data and systems if they want to stay safe from PayloadBin and other similar malware.