The UK’s National Crime Agency (NCA) has named and shamed a high-profile LockBit affiliate as its ongoing Operation Cronos takedown action against the notorious gang continues, exposing a relationship with the Evil Corp cyber crime organisation that was suspected by some, but never successfully confirmed up to now.
Having spent months trawling through the trove of information that passed into its hands in February when Operation Cronos kicked off, the NCA has today asserted with confidence that an individual LockBit affiliate going by the handle Beverley was at the same time a key player in the Evil Corp empire.
His real name is Aleksandr Ryzhenkov and he served as the right-hand man to Evil Corp’s infamous mastermind, Maksim Yakubets, for over a decade.
As a trusted associate and friend to Yakubets, Ryzhenkov took an active role developing the WastedLocker ransomware deployed by Evil Corp around 2020, when the group was in disarray following a December 2019 operation against it. From 2022, said the NCA, Ryzhenkov has also been working as a LockBit affiliate.
Gavin Webb, senior investigating officer on Operation Cronos, said that LockBit’s admin, LockBitSupp – real name Dmitry Khoroshev – had in the past denied any links to the long-lived Evil Corp gang.
“LockBit was very clear that he never worked with Evil Corp, and we’ve been able to show here very clearly that they did. One key affiliate [Ryzhenkov] was responsible for trying to extort $100m worth of Bitcoin and also targeting and creating builds against 60 victims at least,” said Webb, who added that the NCA is still working with the wider group of agencies involved in Operation Cronos to establish full details of LockBit affiliate activity and how the pieces of the puzzle fit together.
Besides Ryzhenkov, a total of 16 individuals associated with Evil Corp have been sanctioned in the UK, while in the US a new indictment has also been unsealed against Ryzhenkov.
Evil Corp is thought to have made $300m from victims around the world over the years, with known victims including many operators of critical national infrastructure (CNI), health sector organisations, and government and public bodies.
James Babbage, director general for threats at the NCA, said: “The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cyber crime groups of all time.
“These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.
“Since we supported US action against Evil Corp in 2019, members have amended their tactics and the harms attributed to the group have reduced significantly. We expect these new designations to also disrupt their ongoing criminal activity.
In Putin’s pocket
During its investigation, NCA also firmed up evidence of long-suspected links between Evil Corp and the Kremlin, revealing that Evil Corp ringleader Yakubets has been in the pocket of the Russian government and actively sought contacts and connections at the highest levels of the intelligence community.
Significantly, Yakubets was aided in this by his father-in-law, Eduard Benderskiy, a former high-ranking official in the FSB, who leveraged his contacts to hep Yakubets develop his relationship with the Russian state.
It has long been known that a link existed between Yakubets and the state via ex-Spetsnaz officer Benderskiy, who likely has the ear of Russian leader Vladimir Putin.
However, the NCA also revealed new intelligence that prior to 2019, Evil Corp was officially tasked with conducting cyber attacks and espionage actions against Nato countries.
After the December 2019 action against Evil Corp, in which Yakubets was indicted by the US, Benderskiy also brought his influence to bear in Moscow, leaning on others in the Russian government to make sure his family members were left alone.
Both Viktor Yakubets and Eduard Benderskiy are among the individuals sanctioned today.
The NCA stressed that the relationship between the two was highly unusual, and that most Russia-based cyber criminal gangs operate on a financially motivated basis, albeit receiving a certain degree of arms-length “protection” from Moscow.
UK foreign secretary David Lammy said: “I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal. Putin has built a corrupt mafia state with himself at its centre. We must combat this at every turn, and today’s action is just the beginning.”
LockBit takedown a humiliation for the gang
The LockBit gang, which infamously disrupted Royal Mail’s international services for weeks at the start of 2023, was taken down in Operation Cronos in February 2024 after a prolific crime spree that at one point saw it account for over a quarter of all known ransomware attacks worldwide.
Operation Cronos resulted in the near complete compromise of the LockBit operation. This was accomplished not merely through a technical takedown of its server infrastructure, but by creatively turning some of the gang’s tactics on it, among them the naming and shaming of key members, including its self-aggrandising leader Khoroshev.
Notably, Khoroshev himself was was trolled by the NCA earlier in the year when they revealed he did not, as he claimed, drive a Lamborghini but rather an elderly Mercedes that, living in sanctioned Russia, he could not get spare parts for anymore.
In this way, cyber experts say, the authorities have ensured that the crew is not just unable to operate, but has been humiliated in the eyes of its peers, and although individuals associated or affiliated with LockBit attempted a fightback at first, the reputational damage that the crew sustained in the takedown, along with a series of outbursts that got the unstable Khoroshev banned from underground cyber crime forums, meant nobody wanted to work with LockBit anymore, and these efforts largely faltered.
This is not to say the danger from LockBit has passed – eight months on, the ransomware locker itself remains a threat and has been used on new victims, but it has tended to be older, leaked builds being deployed without much success by small-time affiliates. With its credibility in tatters, the LockBit gang, said the NCA, is not what it was.
“The disruption that we carried out was as much about disrupting the group as it was about disrupting their trajectory of growth and preventing them becoming even bigger,” said Webb.
More arrests
In recent weeks, the NCA revealed, more arrests have been made in the UK and Europe of individuals who laundered money for LockBit. French authorities have arrested a suspected developer, while in Spain one of the main facilitators of LockBit’s infrastructure has been taken into custody, and a total of nine servers seized.
The NCA has also relaunched LockBit’s dark web portal, which it took over in February and has been using to taunt the cyber criminals, publishing more details of some of the individuals arrested in recent weeks.