In a significant move against one of the world’s most notorious cybercrime groups, the UK has sanctioned 16 individuals linked to Evil Corp, a criminal organization with ties to the Russian state. Among those newly exposed is a key affiliate of the LockBit ransomware group. Australia and the United States have also imposed sanctions, with the US unsealing an indictment against a prominent member of the group.
The UK’s National Crime Agency (NCA) played a pivotal role in uncovering Evil Corp’s extensive criminal network. Once a Moscow-based family financial crime group, Evil Corp expanded into cybercrime, reportedly extorting at least $300 million from global victims across sectors such as healthcare, critical national infrastructure, and government.
In 2019, the NCA’s investigation led to the indictment of Evil Corp’s leader, Maksim Yakubets, and administrator Igor Turashev in the US. Today, Yakubets, Turashev, and seven other members previously sanctioned by the US have also been sanctioned by the UK’s Foreign, Commonwealth & Development Office. Seven other members, whose links to the group had not been publicly known, were also sanctioned.
Aleksandr Ryzhenkov, Yakubets’ right-hand man and a LockBit affiliate, is now exposed. As part of Operation Cronos, an ongoing NCA-led international effort to disrupt Evil Corp, investigators discovered that Ryzhenkov had been involved in numerous LockBit ransomware attacks. The US Department of Justice has also unsealed an indictment charging Ryzhenkov with using BitPaymer ransomware to target American victims.
The sanctions also extend to key enablers of Evil Corp’s activities, including Yakubets’ father and father-in-law, a former high-ranking official in Russia’s Federal Security Service (FSB).
NCA: Cybercrime at a Critical Juncture
James Babbage, Director General for Threats at the NCA, emphasized the significance of these developments: “The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time. These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.”
Babbage highlighted the evolving tactics of Evil Corp since the US sanctions in 2019, noting the group’s reduced capacity to operate. The NCA remains committed to dismantling sophisticated ransomware groups that continue to threaten global cybersecurity.
Evil Corp’s Legacy of Cybercrime
Formed in 2014, Evil Corp was responsible for developing and deploying the Dridex and BitPaymer malware, targeting financial institutions across 40 countries and stealing over $100 million. The group maintained close ties to the Russian state, with some members involved in cyber espionage on behalf of Russian intelligence.
Following the 2019 sanctions, Evil Corp faced operational difficulties, forcing many of its members to go underground and adopt more sophisticated measures to evade law enforcement. Despite these challenges, some members continued to develop new strains of ransomware, including WastedLocker and PhoenixLocker, while others shifted to using ransomware from other crime groups, like LockBit.
International Cooperation Continues
The international investigation into LockBit remains ongoing. Recently, the NCA revived LockBit’s original leak site, detailing additional arrests, including the capture of a suspected LockBit developer in France and the seizure of nine servers used by the group in Spain.
The UK’s Foreign Secretary, David Lammy, reiterated the government’s resolve: “I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal. Putin has built a corrupt mafia state with himself at its center. We must combat this at every turn, and today’s action is just the beginning.
“Today’s sanctions send a clear message to the Kremlin that we will not tolerate Russian cyber-attacks – whether from the state itself or from its cyber-criminal ecosystem,” Lammy added.
Security Minister Dan Jarvis added that cybercrime causes immense damage globally, but these actions show that there are serious consequences for those involved.
Advice for Organizations
Jonathon Ellison, Director for National Resilience and Future Technology at the UK’s National Cyber Security Centre (NCSC), urged businesses to follow the NCSC’s ransomware guidance to reduce their vulnerability to attacks and develop robust response plans.
“Ransomware is the most significant cybercrime threat facing the UK and the world. The NCA is dedicated to working with our partners in the UK and overseas, sharing intelligence and working to disrupt the most sophisticated and harmful ransomware groups, no matter where they are or how long it takes,” Babbage ended.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.