Cybercrime , Fraud Management & Cybercrime , Ransomware

LockBit and Evil Corp Targeted in Anti-Ransomware Crackdown

UK Police Say Evil Corp 'Right-Hand Man' Was Also a LockBit Affiliate
LockBit and Evil Corp Targeted in Anti-Ransomware Crackdown
Aleksandr Ryzhenkov, indicted in the United States for involvement with BitPaymer ransomware and sanctioned in the U.S., United Kingdom and Australia for being a LockBit affiliate. (Image: FBI)

Law enforcement from the United States, United Kingdom, France and Spain made a coordinated announcement Tuesday of further arrests, indictments, sanctions and server takedowns targeting the Russian cybercriminal underground including additional strikes against the LockBit ransomware-as-a-service operation.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The U.S. Department of Justice on Tuesday unsealed a seven-count criminal indictment against Russian national Aleksandr Viktorovich Ryzhenkov, aka Lizardking, who's believed to be in Russia. Authorities have accused the 31-year-old of using BitPaymer ransomware against U.S. victims since at least June 2017. British police said Ryzhenkov more recently has acted as a LockBit affiliate. He allegedly made more than 60 LockBit ransomware builds and attempted to extort at least $100 million from victims in ransom demands.

The Tuesday announcements were timed to coincide with the second day of an annual meeting of the International Counter Ransomware Initiative, a U.S.-led coalition of more than five dozen countries that have pledged to cooperate closely in the ongoing fight against ransomware (see: White House Pledges Major Deliverables at Ransomware Summit).

Police touted a Spanish-led seizure of LockBit servers, the arrest in August of a "major LockBit actor" - detained while vacationing outside Russia, at France's request - and LockBit-related arrests in the U.K.

Evil Corp Further Targeted by Sanctions

Britain's National Crime Agency said Ryzhenkov served as the "right-hand man" to Maksim Yakubets, aka Aqua, who heads Evil Corp, the Russian-speaking criminal hacking group whose turn in the international law enforcement spotlight since 2019 has greatly diminished its capabilities (see: Evil By A Different Name: Crime Gang Rebrands Ransomware).

Research released by cybersecurity firm Mandiant in 2022 suggested Evil Corp and its leadership were using LockBit to evade U.S. sanctions imposed in 2019 against Yakubets, alleged co-administrator Igor Turashev, and five other individuals.

The sanctions have now been extended to Ryzhenkov, thanks to information gleaned by an ongoing effort to target LockBit participants and infrastructure dubbed Operation Cronos. "Investigators analyzing data obtained from the group's own systems found he has been involved in LockBit ransomware attacks against numerous organizations" under the handle of "Beverley," the NCA said.

Prior to that, authorities said Ryzhenkov helped Evil Corp develop multiple strains of malware. The group has been tied to attacks involving BitPaymer ransomware, as well as Dridex malware used against financial institutions in more than 40 countries, leading to criminal profits of over $100 million.

As part of the Tuesday announcements, Australia, the U.K. and the U.S. introduced financial sanctions against Ryzhenkov as well as six other individuals and two Russian companies accused of acting on behalf of Evil Corp.

Included in that list are the father and father-in-law of Evil Corp leader Maksim Viktorovich Yakubets, who federal prosecutors indicted in 2019 for Dridex banking Trojan attacks. Yakubets' father, Viktor Yakubets, allegedly procured technical equipment for Evil Corp, while his father-in-law, Eduard Benderskiy, was a former high-ranking FSB official who served as an intermediary between Russian intelligence agencies and the cybercriminal group, U.S. Treasury officials said.

Fallout from attacks the FSB ordered Evil Corp to launch against NATO allies led the group to rebuild and refresh its tactics, not least to try and operate more clandestinely, the NCA said. "They continued to adapt and some members went on to develop further malware and ransomware strains, most notably WastedLocker, Hades, PhoenixLocker, PayloadBIN and Macaw," it said. "Their focus narrowed, switching from volume attacks to targeting high-earning organizations," via what's known as big-game hunting.

LockBit Disruption Continues

Spanish national police arrested at a Madrid airport the owner of a criminal online "bulletproof" infrastructure provider and announced the seizure of nine servers. The unidentified suspect was "one of the main facilitators of infrastructure" for the increasingly beleaguered ransomware group, police said on a darknet website seized in February that formerly served as LockBit's leak site.

The French National Police announced that a suspected malware developer for LockBit was arrested, at their request, while vacationing outside Russia, which never extradites its citizens to face foreign charges. French authorities filed an extradition request.

"This individual is facing severe charges in the French core case against the LockBit organized crime group," the French National Police said. They declined to name the suspect or country that detained them.

"Good news that some alleged LockBit ransomware people got picked up in Europe," said British cybersecurity expert Kevin Beaumont in a Monday post to social platform Mastodon ahead of the announcements. "It's a fantasy that all ransomware activity is originating from Russia."

The police actions are the latest in a series as part of an international law enforcement operation dubbed Operation Cronos. Authorities in February seized more than 35 LockBit servers and replaced the group's then-dark web leak page with a seizure notice (see: LockBit Infrastructure Seized by US, UK Police).

The NCA earlier this year reported that it had been able to "fully compromise LockBit's platform" and obtain 2,500 decryption keys, as well as a complete list of all LockBit affiliate usernames and Bitcoin addresses linked to victim payments. Authorities identified Russian national Dmitry Khoroshev as "LockBitSupp," the group's mercurial leader who previously kept his real identity a closely guarded secret (see: LockBitSupp's Identity Revealed: Dmitry Yuryevich Khoroshev). Investigators also found that despite the group's promise to delete stolen data for any victim who paid a ransom, since at least December 2022 the criminals hadn't deleted any data.

The disruptions appear to be having an operational impact, with multiple affiliates having deserted the group, leading to fewer attacks, the NCA said. One sign of apparent resulting desperation is the group having "resorted to duplicating claimed victims, almost certainly to boost victim numbers and mask the impact of Operation Cronos," it said. "Of the significant large victims claimed since the takedown, two-thirds are complete lies from LockBit (quelle surprise!), and the remaining third cannot be verified as real victims."

Federal prosecutors in May indicted Khoroshev in New Jersey federal court on 26 criminal charges, which included conspiracy to commit wire fraud, intentional damage to protected computers and extortion. Prosecutors said Khoroshev earned at least $100 million from victims, keeping a 20% cut of every ransom paid to affiliates. Since LockBit's inception in 2019, authorities estimate the group targeted more than 3,000 victims worldwide and extorted at least $500 million in ransom payments.

"This is probably the most impactful disruption to date in terms of its psychological impact on cybercriminals," said Brett Callow, managing director of cybersecurity at FTI Consulting told Information Security Media Group in a Monday email. "No ransomware operation is bulletproof and the real question is what other ransomware operations have been compromised by law enforcement."

Once a high-flier that traded both on the sophistication of its crypto-locking malware as well as outspoken reputation, LockBit's star has continued to fall. In the second quarter of this year, ransomware incident response firm Coveware reported seeing LockBit tied to fewer attacks it investigated, compared to before Operation Cronos.

Many LockBit affiliates appeared to either have begun to work solo by using freely available ransomware source code such as Phobos, or else to have aligned themselves with other groups, such as Akira, BlackSuit, RansomHub and Medusa, while "bringing their playbooks and toolkits with them," Coveware said (see: The Upside-Down, Topsy-Turvy World of Ransomware).

Ransomware experts said Operation Cronos has been a master-stroke on multiple fronts, including thanks to law enforcement trolling the trollers, undermining their credibility. The use of such psychological operations - aka PsyOps - highlights that ransomware operations are staffed by "real humans," who have a stake not just in the reputation of the operation they work with, but also "interpersonal relationships" that can and have been targeted, said threat intelligence firm Analyst1.

"This time, perhaps, it was law enforcement's turn to play mastermind games publicly," it said.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.