LockBit Associates Arrested, Evil Corp Bigwig Outed

A global operation cuffed four LockBit suspects and offered more details into the org chart of Russia's infamous Evil Corp cybercrime gang.

Dark Reading Staff, Dark Reading

October 1, 2024

2 Min Read
Europol logo on an LED screen with silhouetted people using smartphones in the foreground
Source: M4OS Photos via Alamy Stock Photo

In another phase of Operation Cronos, Europol and Eurojust have taken more action against the LockBit ransomware gang by making four arrests and seizing devices used as part of the ransomware's infrastructure. In addition, Aleksandr Ryzhenkov (aka Beverley), who was once second-in-command for the infamous Evil Corp cybercrime organization, was sanctioned and named as an affiliate for LockBit, indicating ties between the two groups.

The arrests were of a suspected developer for the group in France; two LockBit affiliates apprehended by the British authorities; and a bulletproof hosting service administrator cuffed by Spanish police, which also confiscated nine servers. 

Meanwhile, the US, the UK, and Australia imposed sanctions against Ryzhenkov, who the UK's National Crime Agency identified as a top lieutenant to Evil Corp leader Maxim Yakubets. The US unsealed an indictment against him, and sanctioned 16 other individuals linked to the infamous gang.

Russia-based Evil Corp, the outfit behind the Zeus and Dridex banking Trojans, largely disappeared from the cybercrime scene following US sanctions in 2019, which included the outing of Yakubets, his relationship with an FSB agent who is his father-in-law, and the exposure of Evil Corp's inner workings.

Related:Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges

According to the NCA, Ryzhenkov was key to the development of Evil Corp's post-sanctions WastedLocker ransomware, which was a ransomware-as-a-service (RaaS) offering circulating in 2020. But in 2022, he turned up as a LockBit affiliate. Meanwhile, LockBit has denied having any working relationship with Evil Corp.

"The exposure of Evil Corp's ties to LockBit is a major blow to the ransomware affiliate market," said Ferhat Dikbiyik, head of research at Black Kite, in an emailed statement to Dark Reading. "February 2024 saw Operation Cronos take down LockBit's main infrastructure. Since then, LockBit has been using back-up Dark Web blogs to maintain its presence. Today, law enforcement agencies have taken further action — exposing critical ties between LockBit and Evil Corp, a group long associated with large-scale ransomware and financial crime operations."

LockBit ransomware has been deployed across a variety of sectors, including financial service, food and agriculture, education, energy, government and emergency services, and healthcare, among others. Because there are so many independent affiliates involved, there are a wide array of different attack tactics used by the threat actors. However, the Japanese Police, National Crime Agency, and FBI are focusing their expertise on developing decryption tools to recover files encrypted and lost to LockBit ransomware, according to Europol.

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights