Ga naar de inhoud
Home » Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate 

Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate 

Sixteen individuals who were part of Evil Corp, once believed to be the most significant cybercrime threat in the world, have been sanctioned in the UK, with their links to the Russian state and other prolific ransomware groups, including LockBit, exposed.

Sanctions have also been imposed by Australia and the US, who have unsealed an indictment against a key member of the group.

An extensive investigation by the NCA has helped map out the history and reach of Evil Corp’s criminality; from a family-centred financial crime group in Moscow that branched out into cybercrime, going on to extort at least $300 million from global victims including those within healthcare, critical national infrastructure, and government, among other sectors.

In 2019, this investigation contributed to the head of Evil Corp, Maksim Yakubets, and one of the group’s administrators, Igor Turashev, being indicted in the US and sanctioned, along with several other members of the group.

Today, Yakubets, Turashev, and seven of those sanctioned by the US in 2019 have also been designated in the UK by the Foreign, Commonwealth and Development Office, along with an additional seven individuals, whose links and support for the group have not previously been exposed.

This includes Aleksandr Ryzhenkov, Yakubets’ right-hand man in whom he placed a lot of trust and worked closely with to develop some of the group’s most prolific ransomware strains. He has also been identified as a LockBit affiliate as part of Operation Cronos – the ongoing NCA-led international disruption of the group. Investigators analysing data obtained from the group’s own systems found he has been involved in LockBit ransomware attacks against numerous organisations.

Separately, the US Department of Justice has unsealed an indictment charging Ryzhenkov for using BitPaymer ransomware to target victims across the US.

Also sanctioned today in the UK are Yakubets’ father, Viktor Yakubets, his father-in-law, Eduard Benderskiy, a former high-ranking FSB official, and others who were key to enabling Evil Corp’s criminal activity.

James Babbage, Director General for Threats at the NCA, said:

“The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time.

“These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.

“Since we supported US action against Evil Corp in 2019, members have amended their tactics and the harms attributed to the group have reduced significantly. We expect these new designations to also disrupt their ongoing criminal activity.

“Ransomware is the most significant cybercrime threat facing the UK and the world. The NCA is dedicated to working with our partners in the UK and overseas, sharing intelligence and working to disrupt the most sophisticated and harmful ransomware groups, no matter where they are or how long it takes.”

Evil Corp officially formed as a crime group in 2014. They were responsible for the development and distribution of BitPaymer and Dridex, which they used target banks and financial institutions in over 40 countries, stealing over $100m.

The group were in a privileged position, with some members having close links to the Russian state. Benderskiy was a key enabler of their relationship with the Russian Intelligence Services who, prior to 2019, tasked Evil Corp to conduct cyber attacks and espionage operations against NATO allies.

After the US sanctions and indictments in December 2019, Benderskiy used his extensive influence with the Russian state to protect the group, both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities.

However, the 2019 activity caused considerable disruption to Evil Corp, damaging their brand and ability to operate, including making it harder for them to elicit ransom payments from victims.

It caused them to have to rebuild, change tactics and take increased measures to hide their activity from law enforcement, with many members going underground, abandoning online accounts and restricting their movements.

They continued to adapt and some members went on to develop further malware and ransomware strains, most notably WastedLocker, Hades, PhoenixLocker, PayloadBIN and Macaw. Their focus narrowed, switching from volume attacks to targeting high-earning organisations.

Other members moved away from using their own technical tools, instead using ransomware strains developed by other crime groups, such as LockBit.

The NCA is continuing to track illicit activity conducted by various former members of Evil Corp, including their involvement in ransomware attacks.

The international investigation into LockBit is also ongoing and this week their original leak site, which remains under the control of the NCA, went live once more. It details further action taken by the Cronos Taskforce, including NCA arrests in August of two people believed to be associated with a LockBit affiliate, on suspicion of Computer Misuse Act and money laundering offences.

In the same month, French authorities secured the arrest of a suspected LockBit developer, and Spanish police detained one of the main facilitators of LockBit infrastructure, as well as seizing nine servers used by the group.

Foreign Secretary, David Lammy said:

“I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal.  

Putin has built a corrupt mafia state with himself at its centre. We must combat this at every turn, and today’s action is just the beginning.  

Today’s sanctions send a clear message to the Kremlin that we will not tolerate Russian cyber-attacks – whether from the state itself or from its cyber-criminal ecosystem”

Security Minister, Dan Jarvis said:

“Cyber-crime causes immense damage to people and business across the world but today’s action is evidence that there are serious consequences for those involved.

“We will continue to work with our international partners to pursue and expose malicious cyber activity and protect the public.”

Jonathon Ellison, NCSC Director for National Resilience and Future Technology, said:

“Every day we see ransomware incidents have real-world consequences for UK victims, disrupting key services, damaging businesses’ finances and putting individuals’ data at risk.

“I welcome today’s sanctions against Evil Corp-affiliated cyber actors, who have caused harm in the UK and beyond, and strongly support the coordinated steps taken with allies to ensure cyber crime does not pay.

“All organisations are encouraged to follow the NCSC’s ransomware guidance to help reduce their chances of falling victim to an attack and to ensure they have tried-and-tested response plans in case the worst should happen.”

1 October 2024

 Read More NCA |National Crime Agency