A coalition of international law enforcement agencies [8] [9] has intensified efforts against the Russia-based cybercrime syndicate Evil Corp and its potential ties to the LockBit ransomware group. This initiative, known as “Operation Cronos,” has led to significant arrests and seizures across multiple countries, highlighting the global response to cybercrime.

## Description

A coalition of international law enforcement agencies, including Europol and the UK’s National Crime Agency, has intensified operations against the Russia-based cybercrime syndicate Evil Corp and its potential ties to the LockBit ransomware group [4]. Recent coordinated actions across 12 countries, part of an operation known as “Operation Cronos,” have resulted in significant arrests and seizures. Among those apprehended was Aleksandr Viktorovich Ryzhenkov [11], a prominent Russian national and high-ranking affiliate of LockBit [12], who is also a key member of Evil Corp, known by aliases such as Beverley and mx1r. Ryzhenkov has been linked to the deployment of BitPaymer ransomware since at least June 2017 and is reported to have created over 60 LockBit ransomware builds [9], seeking to extort at least $100 million from victims [5] [9]. He has been charged in connection with various cybercrime operations [11], with the US Department of Justice primarily focusing on his involvement with BitPaymer ransomware. His brother [5] [9], Sergey Ryzhenkov [5] [9], known as Epoch [5], is also associated with BitPaymer ransomware.

In the United Kingdom [6], two individuals linked to a LockBit affiliate were arrested for supporting the group’s activities, likely involved in deployment [3], negotiation [3], or money laundering [3]. French authorities detained a suspected ransomware developer who played a crucial role in LockBit’s functionality while on holiday. Spanish officers seized nine servers associated with LockBit’s ransomware infrastructure and apprehended an administrator of a bulletproof hosting service that managed servers resistant to law enforcement actions. Additionally, the Australian Federal Police conducted Operation Kraken [10], targeting the Ghost criminal messaging network [10], allegedly operated by an Australian national who has since been arrested [10]. LockBit has been responsible for attacks on over 2,500 entities across more than 120 countries and has extorted over $100 million since 2019.

In response to these activities, the United Kingdom [6], the United States [6], and Australia imposed sanctions on individuals connected to Evil Corp, including Viktor Yakubets and Eduard Benderskiy [5] [9]. Benderskiy [5] [7] [9], a former Russian intelligence official and father-in-law of Evil Corp leader Maksim Yakubets [7], has been highlighted for his role in providing protection and influence to the group, serving as a significant link between Evil Corp and the Russian state. The UK has sanctioned a total of 16 individuals associated with Evil Corp [8], including key affiliate Aleksandr Ryzhenkov and 15 other Russian citizens for their involvement in the group’s criminal activities. The United States unsealed an indictment against Ryzhenkov and sanctioned six citizens, while Australia sanctioned two [6].

Active since 2014 [5], Evil Corp has targeted banks and financial institutions to steal credentials and conduct unauthorized fund transfers [5]. Ryzhenkov is also linked to UNC2165, an offshoot of Evil Corp [5], further illustrating the connections between Russian cybercrime groups and the Kremlin [5]. A report indicates a connection between Evil Corp and the LockBit cybercriminal group [2], revealing that both have used the same deposit addresses at centralized exchanges [2], suggesting possible collaboration [2] [4]. There are indications that Evil Corp has utilized LockBit’s ransomware to rebrand and evade sanctions [4], with several key members believed to have close ties [4], reinforcing speculation of internal connections [4]. Western authorities have characterized this case as an exception rather than the norm [7], highlighting the significant financial gains generated by these organizations and their ties to Russian government cyberespionage. Despite ongoing law enforcement efforts, LockBit continues to operate using new infrastructure [1], functioning on a Ransomware-as-a-Service (RaaS) model [3]. This model allows the core group to develop malware and sell access to affiliates who conduct the actual attacks [3], facilitating rapid expansion but introducing variability in operations due to diverse affiliate tactics [3]. The recent takedown of LockBit’s infrastructure, including servers and domains [3], through technical infiltration has significantly disrupted its operational capacity, revealing a chaotic governance structure where affiliates operated with little oversight [3].

## Conclusion

The international crackdown on Evil Corp and LockBit underscores the global commitment to combating cybercrime. The arrests [1] [2] [3] [4] [5] [7], sanctions [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and infrastructure disruptions have dealt a significant blow to these groups, yet the persistence of their operations highlights the ongoing challenge. Continued international cooperation and adaptive strategies will be crucial in mitigating the threat posed by such sophisticated cybercriminal networks in the future.

References

[1] https://www.digitalguardian.com/blog/friday-five-threat-actors-and-law-enforcement-throwing-punches-vulnerability-concerns-more
[2] https://decrypt.co/284813/russian-evil-corp-sanctions-ransomware
[3] https://riskandresilience.substack.com/p/week-40-lockbit-disrupted-with-4
[4] https://news.shib.io/2024/10/07/russian-evil-corp-syndicate-may-have-links-with-lockbit-report/
[5] https://www.isss.org.uk/news/lockbit-ransomware-and-evil-corp-members-arrested-and-sanctioned-in-joint-global-effort/
[6] https://www.cybersecurityintelligence.com/blog/lockbit-arrests-and-sanctions-7988.html
[7] https://www.s-rminform.com/en-us/cyber-intelligence-briefing/cyber-intelligence-briefing-4-october-2024
[8] https://thehackernews.com/2024/10/thn-cybersecurity-recap-top-threats-and.html
[9] https://thecyberpost.com/news/hackers/lockbit-ransomware-and-evil-corp-members-arrested-and-sanctioned-in-joint-global-effort/
[10] https://defenceconnect.libsyn.com/cyber-uncut-lockbit-arrests-and-aussie-criminal-mastermind-arrested-and-its-cyber-security-awareness-month
[11] https://www.bitdefender.com/en-us/blog/hotforsecurity/lockbit-hacker-suspects-unmasked-in-global-law-enforcement-crackdown/
[12] https://www.cybersecurity-review.com/uks-sellafield-nuclear-waste-processing-plant-fined-333k-for-infosec-blunders/