Cybercriminal gang members of Evil Corp are being punished with a major action by the British crime organization

Image from the UK’s National Crime Agency.

More than a dozen members of the cybercrime group Evil Corp are facing financial sanctions under the direction of Britain’s National Crime Agency – the announcement coincides with a new intelligence profile on the Russian-backed organization, also released on Tuesday.

Tuesday’s sanctions by the NCA target 16 members of the organized crime syndicate, while the US and Australia imposed a total of eight more sanctions against the group, including asset freezes and travel bans.

It all coincides with the NCA’s publication of a detailed dossier detailing the historical ins and outs of what many security insiders consider to be one of the ‘OG ransomware gangs’ operating with the full support of the Russian government.

British Foreign Secretary David Lammy said it was his “personal mission to attack the Kremlin with the full arsenal of sanctions at our disposal.”

“Putin has built a corrupt mafia state with himself at the center. We must fight this every step of the way, and today’s action is just the beginning,” Lammy said, adding that Tuesday’s sanctions “send a clear message to the Kremlin that we will not do that.” tolerate Russian cyber attacks – either from the state itself or from its cybercriminal ecosystem.”

UK sanctions on 16 Evil Corp members 2
Members of Evil Corp are sanctioned by Britain, the US and Australia. Members of the Evil Corp family pictured from left to right; Dmitriy Slobodskoy, cousin; Maksim Yakubets, leader; Artem Yakubets, brother; Kirill Slobodskoy, cousin. Image from the UK’s National Crime Agency.

The eight-page report, titled “Evil Corp: Behind the Screens,” illustrates a timeline of the group’s activities, dating back to its initial founding by Evil Corps head Maksim Yakubets in 2007, to its official designation as crime group in 2014. the path to its criminal endeavors in 2024.

The NCA detailed Evil Corp’s journey from a family-oriented financial crime group in Moscow to a booming cybercrime ring responsible for extorting at least $300 million from victims around the world, including healthcare, critical national infrastructure and government.

“Maksim took this family business into the 21st century, bringing with him his father (Viktor Yakubets), brother (Artem) and cousins (Kirill and Dmitry Slobodskoy),” branching out from the family’s money laundering operations into prolific cybercrime. NCA report thus.

Yakubets has evaded arrest by Western authorities since he was charged and punished by the US government in 2019, along with a $5 million bounty for information leading to his arrest.

Now all four family members and Evil Corp members have been sanctioned, including one of the group’s directors, Igor Turashev, and his father-in-law, Eduard Benderskiy, a former senior FSB official.

Further Evil Corp cybercriminals have been exposed following NCA investigations, with one exposed as an associate of LockBit, while Britain, the US and Australia unveil sanctions.

Read the full story ➡️ https://t.co/MVHye4QU2T pic.twitter.com/VcXP2PquyU

undefined National Crime Agency (NCA) (@NCA_UK) October 1, 2024

The Russian safety net is wide

Since the Lamborghini-driving leader was placed on the FBI’s most wanted list in 2019, Yakubets has hidden himself within Russia’s borders, enjoying a lavish lifestyle under the protection of all three major Russian intelligence services.

“He is roaming freely in Russia, and he is not in prison, and Russia is not taking any steps to arrest him,” Irina Tsukerman, a geopolitical analyst specializing in cybersecurity, told Cybernews in 2022.

The NCA portrays Evil Corp as going “well beyond the typical state-criminal relationship of protection, payoffs and extortion.”

It had also been discovered that before 2019, Evil Corp was actually commissioned by Russian intelligence services to carry out cyber attacks and espionage operations against NATO allies.

Known for developing variants such as Dridex and GameOver Zeus, an Evil Corp profile from Mandiant threat researchers in 2019 linked Evil Corp to numerous other ransomware variants, including BitPaymer, Dopplepaymer, Wasttedlocker, Hades.PheonixLocker, and Hades.PayLoadBin.

Image from the UK’s National Crime Agency.

After Mandiant and law enforcement exposed its internal workings and ransomware variants, the cartel apparently took steps to change its ransomware toolkit. The cartel was even suspected of changing its name to distance itself from negative publicity with possible ties to another ransomware group known as UNC2165.

In 2023, some members, operating under the name DoppelPaymer ransomware, were arrested and their servers were seized by German and Ukrainian authorities.

Evil Corp and LockBit connection

The NCA’s bold move follows further announcements on Tuesday about the arrest of four LockBit ransomware gang players, announced in collaboration with Europol, the FBI and at least a dozen other EU countries, including the British agency.

The revelation of the LockBit arrest also included news of an unsealed indictment by the US Department of Justice against high-ranking Evil Corp member Aleksandr Ryzhenkov, aka “Beverley,” who in his spare time was known as a partner for the LockBit group.

Ryzhenkov is labeled by the NCA as ‘a productive affiliate of LockBit and strongly linked to Evil Corp’ and is said to be the right-hand man of Evil Corp leader Maksim Yakubets.

“The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most damaging cybercrime groups of all time,” said James Babbage, director general of threats at the NCA.

“These sanctions expose even more members of Evil Corp, including someone affiliated with LockBit, and those who were key to enabling their activities,” he added.

Members of Evil Corp are sanctioned by Britain, the US and Australia. Members depicted from left to right; Denis Gusev, Aleksandr Ryzhenkov, Sergei Ryzhenkov, Artem Yakubets, Kirill_Slobodskoy, Dmitriy Slobodskoy, Beyat Ramazanov. Image from the UK’s National Crime Agency.

For more on Tuesday’s LockBit arrests, seized servers and unsealed indictments, read Cybernews’ coverage of the third phase of Operation Cronos – an ongoing international effort to dismantle the infamous ransomware group, which launched in February was launched.

Ryzhenkov is believed to have been personally involved in carrying out at least 60 LockBit attacks in the US using BitPaymer, one of Evil Corp’s signature ransomware variants, which collected more than $100 million from victims.

“Today’s indictment against Ryzhenkov details how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransoms,” said U.S. Deputy Attorney General Lisa Monaco.

“Together with law enforcement partners here and around the world, we will continue to put victims first and show these criminals that ultimately they will be the ones to pay for their crimes,” Monaco said.