The UK's National Crime Agency (NCA) says it has identified 16 people behind cybercrime group Evil Corp and found links to the Russian state and other prolific ransomware groups, including LockBit.
Five years ago, Evil Corp boss Maksim Yakubets and one of the group's administrators, Igor Turashev, were charged and sanctioned in the United States, along with several other members of the group.
The NCA has now moved to sanction the couple, along with seven others sanctioned by the United States in 2019 and seven new individuals who had not previously been identified.
Among them is Aleksandr Ryzhenkov, described by the NCA as Yakubets' right-hand man, whose data obtained from the group's own systems shows that he has been involved in LockBit ransomware attacks against numerous organizations. Also sanctioned in the UK are Yakubets' father, Viktor Yakubets, his father-in-law, Eduard Benderskiy, a former senior FSB official, and others.
“These sanctions expose more members of Evil Corp, including one who was an affiliate of LockBit, and those who were instrumental in enabling their activity,” said James Babbage, NCA's director general of threats.
“Since we supported the US action against Evil Corp in 2019, members have modified their tactics and harms attributed to the group have been significantly reduced. We hope these new designations will also disrupt their ongoing criminal activity.”
Links with the Russian State?
Evil Corp first appeared in 2014, developing and distributing BitPaymer and Dridex, which they used to target banks and financial institutions in more than 40 countries, earning more than $100 million, with some members believed to have ties to the state. Russian.
“My personal mission is to attack the Kremlin with the entire arsenal of sanctions at our disposal. Putin has built a corrupt mafia state with himself at the center. We must combat this at all times, and today's action is just the beginning.” said UK Foreign Secretary David Lammy.
“Today's sanctions send a clear message to the Kremlin that we will not tolerate Russian cyberattacks, whether from the state itself or its cybercriminal ecosystem.”
Meanwhile, an alleged LockBit developer has been arrested at the request of French authorities, while Spanish agents have seized nine servers, part of the ransomware infrastructure, and arrested an administrator of a Bulletproof hosting service used by the group. of ransomware.
LockBit was the most used ransomware variant globally between 2021 and 2023, operating with ransomware as a service model and targeting critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare , manufacturing and transportation. .
“While Evil Corp has been relatively quiet since the 2019 US sanctions, today's news illustrates how these groups are finding solutions, splitting up, regrouping and repeating their tactics to continue generating revenue,” said Sean M. McNee, head of software threat intelligence. DomainTools company.
“While it may seem like a game of whack-a-mole trying to identify all the members involved, DNS and domain intelligence can be powerful tools in the fight against cybercrime groups like Evil Corp. Tracking domains and searching for “The relationships between them allow threat hunters to discover patterns, making new movements easier and faster to identify.”