Unmasked: Evil Corp’s cyber gangster who worked for LockBit

Posted on by Vaseline

Britain’s National Crime Agency (NCA) has named and shamed a high-profile LockBit affiliate as the ongoing Operation Cronos operation against the notorious gang continues, exposing a relationship with cybercrime organization Evil Corp that was suspected by some but never with success has been confirmed so far.

After months of sifting through the wealth of information obtained in February when Operation Cronos was launched, the NCA has today confidently alleged that an individual LockBit affiliate running Beverley was at the same time a key player in the Evil Corp -empire.

His real name is Aleksandr Ryzhenkov and he was the right-hand man of the infamous Evil Corp mastermind Maksim Yakubets for over a decade.

As a trusted associate and friend of Yakubets, Ryzhenkov played an active role in developing the WastedLocker ransomware deployed by Evil Corp around 2020, when the group was in disarray following an operation against it in December 2019. As of 2022, the NCA said, Ryzhenkov also operates as a LockBit affiliate.

Operation Cronos senior investigative officer Gavin Webb said LockBit’s administrator, LockBitSupp – real name Dmitry Khoroshev – had in the past denied any link to the long-lived Evil Corp gang.

“LockBit was very clear that he never worked with Evil Corp, and we were able to show very clearly here that they did. “One key partner (Ryzhenkov) was responsible for trying to extort $100 million worth of Bitcoin and also targeting and creating builds against at least 60 victims,” said Webb, who added that the NCA was yet to continues to work with the broader group of agencies involved in Operation Cronos to determine all the details of the LockBit partner activities and how the pieces of the puzzle fit together.

In addition to Ryzhenkov, a total of sixteen people associated with Evil Corp have been punished in Britain, while a new indictment against Ryzhenkov has also been opened in the US.

Evil Corp is believed to have made $300 million from victims around the world over the years, with known victims including many Critical National Infrastructure (CNI) operators, healthcare industry organizations, and government and public agencies.

James Babbage, director general for threats at the NCA, said: “The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most damaging cybercrime groups of all time.

“These sanctions expose even more members of Evil Corp, including someone affiliated with LockBit, and those who were key to enabling their activities.

“Since we supported the US action against Evil Corp in 2019, members have adjusted their tactics and the damage attributed to the group has been significantly reduced. We expect these new designations will also disrupt their ongoing criminal activities.

In Putin’s pocket

During its investigation, the NCA also strengthened evidence of long-suspected links between Evil Corp and the Kremlin, showing that Evil Corp leader Yakubets was in the pocket of the Russian government and actively sought contacts and connections at the highest levels of the intelligence community . .

Significantly, Yakubets was helped in this by his father-in-law, Eduard Benderskiy, a former senior official in the FSB, who used his contacts to help Yakubets develop his relationship with the Russian state.

It has long been known that there was a connection between Yakubets and the state through ex-Spetsnaz officer Benderskiy, who probably has the ear of Russian leader Vladimir Putin.

However, the NCA also revealed new information that Evil Corp was officially tasked with carrying out cyber attacks and espionage actions against NATO countries before 2019.

Following the action against Evil Corp in December 2019, which saw Yakubets charged by the US, Benderskiy also used his influence in Moscow, leaning on others in the Russian government to ensure his relatives were left alone.

Both Viktor Yakubets and Eduard Benderskiy are among those sanctioned today.

The NCA emphasized that the relationship between the two was highly unusual, and that most Russia-based cybercriminal gangs operate on a financially motivated basis, although they receive a degree of ‘protection’ at arm’s length from Moscow.

British Foreign Secretary David Lammy said: “I am making it my personal mission to attack the Kremlin with the full arsenal of sanctions at our disposal. Putin has built a corrupt mafia state in which he himself is central. We must fight this at every opportunity, and today’s action is just the beginning.”

LockBit takes away an indignity for the gang

The LockBit gang, which infamously disrupted Royal Mail’s international services in early 2023, was taken down in Operation Cronos in February 2024 after a prolific crime wave that at one point caused more than a quarter of all known ransomware attacks was responsible worldwide.

Operation Cronos resulted in the almost complete compromise of the LockBit operation. This was achieved not only through a technical dismantling of the server infrastructure, but also by creatively applying a number of the gang’s tactics to it, including naming and shaming key members, including self-aggrandizing leader Khoroshev.

Notably, Khoroshev himself was duped by the NCA earlier this year when they revealed that he was not, as he claimed, driving a Lamborghini, but rather an older Mercedes for which, because he lived in sanctioned Russia, he could no longer obtain spare parts .

In this way, cyber experts say, authorities have left the crew not only unable to operate but also humiliated in the eyes of their colleagues. suffered by the crew during the attack, along with a series of outbursts that saw the unstable Khoroshev banned from underground cybercrime forums, meant that no one wanted to work with LockBit anymore, and these efforts largely failed.

This isn’t to say that the danger from LockBit has passed: eight months later, the ransomware locker itself remains a threat and has been used on new victims, but it tends to be older and leaked builds are deployed by small businesses without much success. branches. With its credibility in tatters, the LockBit gang, the NCA said, is not what it used to be.

“The disruption we implemented was as much about disrupting the group as it was about disrupting their growth trajectory and preventing them from getting any bigger,” Webb said.

More arrests

The NCA revealed that there have been more arrests of people laundering money for LockBit in recent weeks in Britain and Europe. French authorities have arrested a suspected developer, while in Spain one of the main enablers of LockBit’s infrastructure has been taken into custody and a total of nine servers have been seized.

The NCA has also relaunched LockBit’s dark web portal, which it acquired in February and used to target the cybercriminals, publishing more details about some of the individuals arrested in recent weeks.

Avatar for Vaseline
Vaseline https://newspowergreen.biz.id

You May Also Like

More From Author