Source: NCA
Sixteen individuals who were part of Evil Corp, once believed to be the most significant cybercrime threat in the world, have been sanctioned in the UK, with their links to the Russian state and other prolific ransomware groups, including LockBit, exposed.
Sanctions have also been imposed by Australia and the US, who have unsealed an indictment against a key member of the group.
An extensive investigation by the NCA has helped map out the history and reach of Evil Corp’s criminality; from a family-centred financial crime group in Moscow that branched out into cybercrime, going on to extort at least $300 million from global victims including those within healthcare, critical national infrastructure, and government, among other sectors.
In 2019, this investigation contributed to the head of Evil Corp, Maksim Yakubets, and one of the group’s administrators, Igor Turashev, being indicted in the US and sanctioned, along with several other members of the group.
Today, Yakubets, Turashev, and seven of those sanctioned by the US in 2019 have also been designated in the UK by the Foreign, Commonwealth and Development Office, along with an additional seven individuals, whose links and support for the group have not previously been exposed.
This includes Aleksandr Ryzhenkov, Yakubets’ right-hand man in whom he placed a lot of trust and worked closely with to develop some of the group’s most prolific ransomware strains. He has also been identified as a LockBit affiliate as part of Operation Cronos - the ongoing NCA-led international disruption of the group. Investigators analysing data obtained from the group’s own systems found he has been involved in LockBit ransomware attacks against numerous organisations.
Separately, the US Department of Justice has unsealed an indictment charging Ryzhenkov for using BitPaymer ransomware to target victims across the US.
Also sanctioned today in the UK are Yakubets’ father, Viktor Yakubets, his father-in-law, Eduard Benderskiy, a former high-ranking FSB official, and others who were key to enabling Evil Corp’s criminal activity.
James Babbage, Director General for Threats at the NCA, said:
“The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time.
“These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.
“Since we supported US action against Evil Corp in 2019, members have amended their tactics and the harms attributed to the group have reduced significantly. We expect these new designations to also disrupt their ongoing criminal activity.
“Ransomware is the most significant cybercrime threat facing the UK and the world. The NCA is dedicated to working with our partners in the UK and overseas, sharing intelligence and working to disrupt the most sophisticated and harmful ransomware groups, no matter where they are or how long it takes.”
Evil Corp officially formed as a crime group in 2014. They were responsible for the development and distribution of BitPaymer and Dridex, which they used target banks and financial institutions in over 40 countries, stealing over $100m.
The group were in a privileged position, with some members having close links to the Russian state. Benderskiy was a key enabler of their relationship with the Russian Intelligence Services who, prior to 2019, tasked Evil Corp to conduct cyber attacks and espionage operations against NATO allies.
After the US sanctions and indictments in December 2019, Benderskiy used his extensive influence with the Russian state to protect the group, both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities.
However, the 2019 activity caused considerable disruption to Evil Corp, damaging their brand and ability to operate, including making it harder for them to elicit ransom payments from victims.
It caused them to have to rebuild, change tactics and take increased measures to hide their activity from law enforcement, with many members going underground, abandoning online accounts and restricting their movements.
They continued to adapt and some members went on to develop further malware and ransomware strains, most notably WastedLocker, Hades, PhoenixLocker, PayloadBIN and Macaw. Their focus narrowed, switching from volume attacks to targeting high-earning organisations.
Other members moved away from using their own technical tools, instead using ransomware strains developed by other crime groups, such as LockBit.
The NCA is continuing to track illicit activity conducted by various former members of Evil Corp, including their involvement in ransomware attacks.
The international investigation into LockBit is also ongoing and this week their original leak site, which remains under the control of the NCA, went live once more. It details further action taken by the Cronos Taskforce, including NCA arrests in August of two people believed to be associated with a LockBit affiliate, on suspicion of Computer Misuse Act and money laundering offences.
In the same month, French authorities secured the arrest of a suspected LockBit developer, and Spanish police detained one of the main facilitators of LockBit infrastructure, as well as seizing nine servers used by the group.
