LockBit Associates Arrested, Evil Corp Bigwig Outed

In another phase of Operation Cronos, Europol and Eurojust have taken more action against the LockBit ransomware gang by making four arrests and seizing devices used as part of the ransomware's infrastructure. In addition, Aleksandr Ryzhenkov (aka Beverley), who was once second-in-command for the infamous Evil Corp cybercrime organization, was sanctioned and named as an affiliate for LockBit, indicating ties between the two groups.

The arrests were of a suspected developer for the group in France; two LockBit affiliates apprehended by the British authorities; and a bulletproof hosting service administrator cuffed by Spanish police, which also confiscated nine servers. 

Meanwhile, the US, the UK, and Australia imposed sanctions against Ryzhenkov, who the UK's National Crime Agency identified as a top lieutenant to Evil Corp leader Maxim Yakubets. The US unsealed an indictment against him, and sanctioned 16 other individuals linked to the infamous gang.

Russia-based Evil Corp, the outfit behind the Zeus and Dridex banking Trojans, largely disappeared from the cybercrime scene following US sanctions in 2019, which included the outing of Yakubets, his relationship with an FSB agent who is his father-in-law, and the exposure of Evil Corp's inner workings.

Related:Dark Reading News Desk Live From Black Hat USA 2024

According to the NCA, Ryzhenkov was key to the development of Evil Corp's post-sanctions WastedLocker ransomware, which was a ransomware-as-a-service (RaaS) offering circulating in 2020. But in 2022, he turned up as a LockBit affiliate. Meanwhile, LockBit has denied having any working relationship with Evil Corp.

"The exposure of Evil Corp's ties to LockBit is a major blow to the ransomware affiliate market," said Ferhat Dikbiyik, head of research at Black Kite, in an emailed statement to Dark Reading. "February 2024 saw Operation Cronos take down LockBit's main infrastructure. Since then, LockBit has been using back-up Dark Web blogs to maintain its presence. Today, law enforcement agencies have taken further action — exposing critical ties between LockBit and Evil Corp, a group long associated with large-scale ransomware and financial crime operations."

LockBit ransomware has been deployed across a variety of sectors, including financial service, food and agriculture, education, energy, government and emergency services, and healthcare, among others. Because there are so many independent affiliates involved, there are a wide array of different attack tactics used by the threat actors. However, the Japanese Police, National Crime Agency, and FBI are focusing their expertise on developing decryption tools to recover files encrypted and lost to LockBit ransomware, according to Europol.

Related:Darktrace Announces Formal Completion of its Acquisition by Thoma Bravo