Executives from LockBit Ransomware and Evil Corp were arrested and sanctioned in a joint global action

Oct 3, 2024Ravie LakshmananCybercrime/Ransomware

A new wave of international law enforcement action has resulted in four arrests and the shutdown of nine servers linked to the LockBit (also known as Bitwise Spider) ransomware operation, marking the latest salvo against a once prolific, financially motivated group.

These include the arrest of a suspected LockBit developer in France while on holiday outside Russia, two people in the UK who were allegedly supporting a subsidiary, and an administrator of a Bulletproof hosting service in Spain used by the ransomware group Europol said in a statement.

At the same time, authorities exposed a Russian citizen named Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester and Kotosel) as one of the high-ranking members of the cybercrime group Evil Corp, while portraying him as a LockBit partner. In addition, sanctions were imposed against seven individuals and announced two organizations linked to the e-crime gang.

“The United States, in close coordination with our allies and partners, including through the Counter Ransomware Initiative, will continue to uncover and dismantle the criminal networks that seek to profit personally from the pain and suffering of their victims,” the acting undersecretary said the Treasury Department's Terrorism and Financial Intelligence Division, Bradley T. Smith.

The development, part of a joint exercise called Operation Cronos, comes nearly eight months after the seizure of LockBit's online infrastructure. It also follows the imposition of sanctions against Dmitry Yuryevich Khoroshev, who was revealed to be the administrator and individual behind the “LockBitSupp” persona.

A total of 16 people who were part of Evil Corp were sanctioned by the UK. Also known as Gold Drake and Indrik Spider, the infamous hacking crew has been active since 2014, targeting banks and financial institutions with the ultimate goal of stealing users' login credentials and financial information to facilitate unauthorized money transfers.

The group responsible for the development and distribution of the Dridex malware (also known as Bugat) was already observed using LockBit and other ransomware strains in 2022 to evade the sanctions imposed on the group in December 2019 , including key members Maksim Yakubets and Igor Turashev.

Ryzhenkov was described by Britain's National Crime Agency (NCA) as Yakubets' right-hand man. The US Department of Justice (DoJ) accuses him of using BitPaymer ransomware against victims across the country since at least June 2017.

“Using the affiliate name Beverley, Ryzhenkov created over 60 LockBit ransomware builds and attempted to extort at least $100 million from victims through ransom demands,” officials said. “Ryzhenkov has also been linked to the pseudonym mx1r and associated with UNC2165 (an evolution of Evil Corp-affiliated actors).”

Additionally, Ryzhenkov's brother Sergey Ryzhenkov, who is believed to use the online alias Epoch, has been linked to BitPaymer, according to cybersecurity firm Crowdstrike, which assisted the NCA in the effort.

“During 2024, Indrik Spider gained initial access to multiple entities through the Fake Browser Update (FBU) malware distribution service,” it said. “The attacker was last seen using LockBit in an incident in the second quarter of 2024.”

Prominent among those sanctioned are Yakubets' father, Viktor Yakubets, and his father-in-law, Eduard Benderskiy, a former senior FSB official, underscoring the close ties between Russian cybercrime groups and the Kremlin.

“The group was in a privileged position as some members had close ties to the Russian state,” the NCA said. “Benderskiy was a key enabler of their relationship with Russian intelligence, which hired Evil Corp to conduct cyberattacks and espionage operations against NATO allies before 2019.”

“Following U.S. sanctions and indictments in December 2019, Benderskiy used his extensive influence with the Russian state to protect the group, both by providing security to senior members and ensuring that they were not pursued by internal Russian authorities.”