The U.K.’s National Crime Agency has linked a long-standing affiliate of the LockBit ransomware group to the notorious Russia-backed Evil Corp, a cybercrime gang with links to the Russian government.
The NCA said on Tuesday that it had unmasked the LockBit affiliate, known as “Beverly,” as Russian national Aleksandr Ryzhenkov, who British authorities believe to be “second in command” at Evil Corp.
This is the latest effort by U.K. and international law enforcement — dubbed Operation Cronos — aimed at disrupting the operations of LockBit, once one of the most prolific Russian ransomware gangs, and Evil Corp, one of Russia’s top cybercrime groups with known links to the Russian government. The authorities provided evidence Tuesday of further overlaps between the two Russian cybercrime gangs, in part by briefly resurrecting the dark web leak site of the notorious LockBit ransomware gang that the authorities had previously seized.
According to the NCA’s latest findings, Ryzhenkov is close friends with Evil Corp founder and leader Maksim Yakubets, who was charged by the U.S. government in 2019 for his alleged role in developing and distributing the Dridex malware. Yakubets was previously accused of providing “direct assistance” to the Russian government.
As such, the U.K., along with U.S. and Australian authorities, issued sanctions against Ryzhenkov, effectively making it unlawful for anyone affiliated with those countries to transact with him — including paying a ransom.
During a briefing attended by TechCrunch ahead of Tuesday’s announcement, the NCA said that while most Russian hackers it tracks are financially motivated, Evil Corp maintains a “privileged” relationship with the Russian state and was often tasked with carrying out cyberattacks on NATO countries on behalf of the Russian government.
Ryzhenkov, described by the NCA as Yakubets’ “right-hand man,” became a LockBit affiliate in 2022 who went on to target at least 60 victims, the authorities said.
The NCA has also identified Viktor Yakubets, Maksim’s father; and Eduard Benderskiy, Maksim’s father-in-law and a former high-ranking Russian intelligence official official, as key to Evil Corp’s operations, with the latter a “key enabler” of the gang’s relationship with the Russian intelligence services. Both Yakubets and Benderskiy were also sanctioned.
“LockBit was very clear that it has never worked with Evil Corp, and we’ve been able to show that very clearly they do,” Gavin Webb, senior investigating officer for Operation Cronos, told reporters.
The NCA also announced on Tuesday that a number of further arrests have been made in its ongoing efforts aimed at disrupting the prolific LockBit ransomware gang. British authorities arrested two people in the U.K. who are believed to be associated with a LockBit affiliate on suspicion of computer hacking and money laundering offenses. A suspected LockBit developer was also arrested in France, and Spanish police detained one of the main facilitators of LockBit infrastructure, seizing nine servers used by the group.
This action by Operation Cronos is the latest move in the ongoing cat-and-mouse game between international cyber authorities and LockBit.
The long-running battle between the two became public back in February when an international law enforcement coalition, led by the NCA and the FBI, announced that it had infiltrated LockBit’s official site. The years-in-the-making operation saw the agencies seize LockBit’s infrastructure, including the dark web leak site that the gang uses to list and extort its victims, by exploiting a vulnerability in LockBit’s public-facing websites.
Authorities also said in February that they had arrested two alleged LockBit members in Ukraine and Poland and seized more than 200 cryptocurrency wallets belonging to the Russia-linked hackers.
Days after the operation was announced, LockBit returned to the dark web with a new leak site — and new victims.
Operation Cronos returned in May to reveal new charges against Russian national Dmitry Khoroshev for his alleged involvement as the creator, developer, and administrator of LockBit.
The NCA says that while LockBit remains active, the action taken so far has had a significant effect on ransomware operations. The number of LockBit affiliates has fallen from around 200 to 70 since May, the NCA said, adding that while the gang claims to still be active by posting new victims to its dark web leak site, the majority of those are repeat victims or false claims.
The agency said its investigations into the LockBit ransomware have also revealed new details about the gang’s source code and how it operated. The authorities said LockBit’s code was written in such a way that it would not delete a victim’s data even if the victim paid a ransom demand. This detail was unknown to LockBit’s affiliates, the NCA said.