f11photo - stock.adobe.com
Unmasked: The Evil Corp cyber gangster who worked for LockBit
The NCA has named and shamed a prominent member of the Evil Corp cyber crime collective who also worked as an affiliate of the LockBit ransomware gang as the UK unveils new sanctions against 16 Russian cyber criminals
The UK’s National Crime Agency (NCA) has named and shamed a high-profile LockBit affiliate as its ongoing Operation Cronos takedown action against the notorious gang continues, exposing a relationship with the Evil Corp cyber crime organisation that was suspected by some, but never successfully confirmed up to now.
Having spent months trawling through the trove of information that passed into its hands in February when Operation Cronos kicked off, the NCA has today asserted with confidence that an individual LockBit affiliate going by the handle Beverley was at the same time a key player in the Evil Corp empire.
His real name is Aleksandr Ryzhenkov and he served as the right-hand man to Evil Corp’s infamous mastermind, Maksim Yakubets, for over a decade.
As a trusted associate and friend to Yakubets, Ryzhenkov took an active role developing the WastedLocker ransomware deployed by Evil Corp around 2020, when the group was in disarray following a December 2019 operation against it. From 2022, said the NCA, Ryzhenkov has also been working as a LockBit affiliate.
Gavin Webb, senior investigating officer on Operation Cronos, said that LockBit’s admin, LockBitSupp – real name Dmitry Khoroshev – had in the past denied any links to the long-lived Evil Corp gang.
“LockBit was very clear that he never worked with Evil Corp, and we've been able to show here very clearly that they did. One key affiliate [Ryzhenkov] was responsible for trying to extort $100m worth of Bitcoin and also targeting and creating builds against 60 victims at least,” said Webb, who added that the NCA is still working with the wider group of agencies involved in Operation Cronos to establish full details of LockBit affiliate activity and how the pieces of the puzzle fit together.
Besides Ryzhenkov, a total of 16 individuals associated with Evil Corp have been sanctioned in the UK, while in the US a new indictment has also been unsealed against Ryzhenkov.
Evil Corp is thought to have made $300m from victims around the world over the years, with known victims including many operators of critical national infrastructure (CNI), health sector organisations, and government and public bodies.
James Babbage, director general for threats at the NCA, said: “The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cyber crime groups of all time.
“These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.
“Since we supported US action against Evil Corp in 2019, members have amended their tactics and the harms attributed to the group have reduced significantly. We expect these new designations to also disrupt their ongoing criminal activity.
In Putin’s pocket
During its investigation, the NCA also firmed up evidence of long-suspected links between Evil Corp and the Kremlin, revealing that Evil Corp ringleader Yakubets has been in the pocket of the Russian government and actively sought contacts and connections at the highest levels of the intelligence community.
Significantly, Yakubets was aided in this by his father-in-law, Eduard Benderskiy, a former high-ranking official in the FSB, who leveraged his contacts to hep Yakubets develop his relationship with the Russian state.
It has long been known that a link existed between Yakubets and the state via ex-Spetsnaz officer Benderskiy, who likely has the ear of Russian leader Vladimir Putin.
However, the NCA also revealed new intelligence that prior to 2019, Evil Corp was officially tasked with conducting cyber attacks and espionage actions against Nato countries.
After the December 2019 action against Evil Corp, in which Yakubets was indicted by the US, Benderskiy also brought his influence to bear in Moscow, leaning on others in the Russian government to make sure his family members were left alone.
Eduard Benderskiy is among the individuals newly-sanctioned today.
The NCA stressed that the relationship between the two was highly unusual, and that most Russia-based cyber criminal gangs operate on a financially motivated basis, albeit receiving a certain degree of arms-length "protection" from Moscow.
UK foreign secretary David Lammy said: “I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal. Putin has built a corrupt mafia state with himself at its centre. We must combat this at every turn, and today’s action is just the beginning.”
A family affair
The family connection between Yakubets and Benderskiy is not the only one to exist within Evil Corp - indeed, unlike other financially motivated cyber crime gangs, the operation is very much a family firm.
Yakubets’ father, Viktor, was the first to dabble in financial crime after the fall of the Soviet Union and according to the NCA had significant ties to money laundering activity, so it may not be too surprising that when the young Maksim branched out into cyber crime he brought Viktor, his brother Artem, and cousins Kirill and Dmitry Slobodskoy along for the ride. All of these people are now also subject to UK sanctions.
Along with Yakubets’ friend Ryzhenkov, the men created an organised network of professional money mules, ran illicit crypto trading activities and set up legitimate front businesses. They even employed their own legal teams.
The NCA said it was likely this tight-knit family organisation, rather than any special technical capabilities – although these were pretty advanced – that enabled Evil Corp to become such a formidable cyber criminal force during the 2010s.
At the organisation’s peak, Evil Corp had physical office locations in Moscow, and the gang frequented known haunts including high-end restaurants. Yakubets, his family and associates worked hard and played hard, socialising among themselves, bringing along their wives and girlfriends, and even taking group holidays together.
LockBit takedown a humiliation for the gang
The LockBit gang, which infamously disrupted Royal Mail’s international services for weeks at the start of 2023, was taken down in Operation Cronos in February 2024 after a prolific crime spree that at one point saw it account for over a quarter of all known ransomware attacks worldwide.
Operation Cronos resulted in the near complete compromise of the LockBit operation. This was accomplished not merely through a technical takedown of its server infrastructure, but by creatively turning some of the gang’s tactics on it, among them the naming and shaming of key members, including its self-aggrandising leader Khoroshev.
Notably, Khoroshev himself was was trolled by the NCA earlier in the year when they revealed he did not, as he claimed, drive a Lamborghini but rather an elderly Mercedes that, living in sanctioned Russia, he could not get spare parts for anymore.
In this way, cyber experts say, the authorities have ensured that the crew is not just unable to operate, but has been humiliated in the eyes of its peers, and although individuals associated or affiliated with LockBit attempted a fightback at first, the reputational damage that the crew sustained in the takedown, along with a series of outbursts that got the unstable Khoroshev banned from underground cyber crime forums, meant nobody wanted to work with LockBit anymore, and these efforts largely faltered.
This is not to say the danger from LockBit has passed - eight months on, the ransomware locker itself remains a threat and has been used on new victims, but it has tended to be older, leaked builds being deployed without much success by small-time affiliates. With its credibility in tatters, the LockBit gang, said the NCA, is not what it was.
“The disruption that we carried out was as much about disrupting the group as it was about disrupting their trajectory of growth and preventing them becoming even bigger,” said Webb.
More arrests
In recent weeks, the NCA revealed, more arrests have been made in the UK and Europe of individuals who laundered money for LockBit. French authorities have arrested a suspected developer, while in Spain one of the main facilitators of LockBit’s infrastructure has been taken into custody, and a total of nine servers seized.
The NCA has also relaunched LockBit’s dark web portal, which it took over in February and has been using to taunt the cyber criminals, publishing more details of some of the individuals arrested in recent weeks.
Timeline of Lockbit activity
June 2022: LockBit ransomware gang launches bug bounty programme
August 2022: LockBit 3.0 cements dominance of ransomware ecosystem
October 2022: Ransomware crews regrouping as LockBit rise continues
October 2022: Advanced: Healthcare data was stolen in LockBit 3.0 attack
January 2023: LockBit cartel suspected of Royal Mail cyber attack
February 2023: Suspected LockBit ransomware attack causes havoc in City of London
February 2023: LockBit gang confirms Ion cyber attack as disruption continues
February 2023: LockBit cartel finally claims Royal Mail ransomware attack
February 2023: Royal Mail stands firm as LockBit leaks data and renews ransom demand
February 2023: Royal Mail refused to pay £66m LockBit ransom demand, logs reveal
March 2023: Ransomware attacks up 45% in February, LockBit responsible
June 2023: NCSC warns over ‘enduring’ LockBit threat
September 2023: LockBit ransomware gang allegedly leaks MoD data after hit on supplier
November 2023: Ransomware attack on major Chinese lender disrupts financial markets
November 2023: Royal Mail spent £10m on cyber measures after LockBit attack
November 2023: Canada’s Mounties among government employees hit by LockBit
November 2023: CISA reveals how LockBit hacked Boeing via Citrix Bleed
February 2024: Cops take down LockBit ransomware gang
February 2024: LockBit gang members arrested in Poland and Ukraine
February 2024: LockBit locked out: Cyber community reacts
February 2024: NCA trolls under fire LockBit gang leaders
February 2024: LockBit bids to save face after NCA takedown
February 2024: Inside LockBit: A ransomware gang in decline?
May 2024: NCA unmasks LockBitSupp cyber gangster who toyed with pursuers
June 2024: FBI finds 7,000 LockBit decryption keys in blow to criminal gang
August 2024: Advanced faces fine over LockBit attack that crippled NHS 111