Four Individuals Involved in LockBit Ransomware Attacks Arrested; Evil Corp Members Sanctioned

An international law enforcement operation has resulted in the arrest of four individuals suspected of involvement in LockBit ransomware attacks and the takedown of nine servers linked to LockBit ransomware operations.

Operation Kronos

The latest actions are part of phase three of Operation Cronos, an international law enforcement operation led by the UK’s National Crime Agency (NCA) that successfully disabled the online infrastructure of the LockBit ransomware operation in February this year. The February operation caused significant disruption to the group’s operations, and although the group claimed to have restored infrastructure within a week, it was clear that Operation Chronos caused significant disruption that lasted longer than the group was willing to acknowledge. The NCA obtained approximately 7,000 decryption keys, which allowed victims to recover their data.

The operation uncovered the group’s leader, Russian national Dmitry Khoroshev, also known as LockBitSupp, who has since been sanctioned by the Foreign, Commonwealth & Development Office (FCDO), the Office of Foreign Assets Control (OFAC) from the US Treasury Department and the Australian Government. Ministry of Foreign Affairs. Dmitry Khoroshev, along with suspected LockBit members Artur Sungatov and Ivan Kondratyev, have been charged for their involvement in LockBit attacks and several arrests have been made. Two suspected members of the group pleaded guilty in July 2024 to their involvement in LockBit.

Law enforcement agencies collected a significant amount of data during the operation, which allowed the identification of some of the group’s members and affiliates. The operation also confirmed that despite the group’s claims that stolen data is deleted when the ransom is paid, this is not the case. In February, the Justice Department and the NCA said the group allegedly extorted as much as $1 billion in at least 7,000 ransomware attacks between June 2022 and February 2024.

Four more people arrested

The final phase of Operation Cronos involved law enforcement agencies in twelve countries, supported by Eurojust and Europol. Four more individuals have been arrested for their involvement in the LockBit operation, including a suspected developer who left Russia for a vacation and was arrested at the request of French authorities under an extradition treaty France had with the country. Two people have been arrested in Britain, one of whom is suspected of being a LockBit affiliate and the other has been arrested for alleged money laundering activities for the group. The identities of the two individuals were revealed after analysis of data obtained during the seizure of LockBit’s infrastructure in February.

“I make it my personal mission to attack the Kremlin with the full arsenal of sanctions at our disposal,” British Foreign Secretary David Lammy said. “Putin has built a corrupt mafia state in which he himself is central. We must fight this at every opportunity, and today’s action is just the beginning. “Today’s sanctions send a clear message to the Kremlin that we will not tolerate Russian cyberattacks – neither from the state itself nor from its cybercriminal ecosystem.”

The operator of a bulletproof hosting service used by LockBit was arrested by Spanish law enforcement at Madrid airport, and Spanish authorities seized nine servers used by the group. The United States, the United Kingdom and Australia have announced sanctions against an individual suspected of being a very active member of the group for his role in attacks and money laundering activities. That person is Russian citizen Aleksandr Ryzhenkov, 31, a known associate of the head of the infamous cybercrime group Evil Corp.

The United Kingdom, the United States and Australia have separately imposed sanctions on 16 members of the cybercrime gang Evil Corp, a group that has reportedly stolen around $300 million over the past decade. Evil Corp is known to be involved in ransomware activities and has carried out many attacks using the BitPaymer ransomware, but this is the first time that Evil Corp has been linked to the LockBit operation. The LockBit group has previously stated that it will not work with Evil Corp.

Aleksandr Ryzhenkov is believed to be a high-ranking member of LockBit and is said to have created more than 60 versions of the LockBit ransomware and carried out many attacks, demanding more than $100 million in ransoms. Aleksandr Ryzhenkov was indicted in the United States for his Evil Corp activities, which included carrying out Bitpaymer ransomware attacks on numerous victims in Texas and throughout the United States.

“The Department of Justice is using every tool at its disposal to attack the ransomware threat from every angle,” said Deputy Attorney General Lisa Monaco. “Today’s indictment against Ryzhenkov details how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransoms. Together with law enforcement partners here and around the world, we will continue to put victims first and show these criminals that they will ultimately be the ones to pay for their crimes.”

Evil Corp structure and known members. Source: US Department of the Treasury.

The post Four Individuals Linked to LockBit Ransomware Attacks Arrested; Evil Corp Members Sanctioned first appeared on The HIPAA Journal.