Law enforcement agencies, spearheaded by Europol and Eurojust, continue to make significant strides in the ongoing battle against cybercrime as part of Operation Cronos. A recent development within this operation involved the targeting of the notorious LockBit ransomware gang, which resulted in four arrests and the seizure of crucial devices used in the ransomware’s infrastructure. One of the key individuals apprehended was Aleksandr Ryzhenkov, also known as Beverley, who was identified as an affiliate of LockBit and previously held a high-ranking position in the Evil Corp cybercrime organization.
The arrests were carried out in various locations, including France, where a suspected developer for the group was detained, as well as in the UK, where two LockBit affiliates were captured by British authorities. Additionally, in Spain, a bulletproof hosting service administrator was arrested, leading to the confiscation of nine servers linked to the criminal operation.
In response to these actions, the US, the UK, and Australia jointly imposed sanctions on Ryzhenkov, who was highlighted by the UK’s National Crime Agency as a key lieutenant to Evil Corp leader Maxim Yakubets. The US further unsealed an indictment against him and sanctioned 16 other individuals associated with the infamous gang.
Evil Corp, a Russia-based cybercrime outfit responsible for the creation of the Zeus and Dridex banking Trojans, previously faced a decline in activity following US sanctions in 2019. These sanctions exposed Yakubets’ connections with an FSB agent, who also happened to be his father-in-law, shedding light on Evil Corp’s internal operations and significantly impacting their operations.
Ryzhenkov’s role in the development of Evil Corp’s post-sanctions WastedLocker ransomware, a ransomware-as-a-service (RaaS) offering, was crucial, but by 2022, he had shifted his allegiance to LockBit. Despite these ties, LockBit has vehemently denied any collaboration with Evil Corp, emphasizing its independence in the cybercriminal landscape.
“The exposure of Evil Corp’s association with LockBit represents a major setback for the ransomware affiliate market,” stated Ferhat Dikbiyik, head of research at Black Kite. Following the dismantling of LockBit’s primary infrastructure during Operation Cronos in February 2024, the group resorted to utilizing backup Dark Web channels to maintain its operations. The uncovering of connections between LockBit and Evil Corp underscores the intertwined nature of cybercriminal activities on a global scale.
LockBit ransomware, known for its widespread impact across various sectors such as finance, agriculture, education, energy, government, and healthcare, has posed significant challenges to organizations worldwide. The diverse range of attack tactics employed by independent affiliates underscores the complexity of mitigating the threat posed by this ransomware strain. However, efforts by law enforcement agencies, including the Japanese Police, National Crime Agency, and FBI, are focused on developing decryption tools to assist victims in recovering encrypted files and combating the menace of LockBit ransomware.
As the battle against cybercrime continues, collaboration between international law enforcement agencies remains crucial in disrupting the operations of ransomware gangs and holding accountable those responsible for perpetrating malicious activities online. The latest developments in Operation Cronos serve as a testament to the unwavering commitment of authorities in safeguarding cyberspace and protecting individuals and organizations from the harmful effects of cyber threats.