A new wave of international law enforcement has led to four arrests and the takedown of nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation, marking the latest salvo against what was once a prolific financially motivated group.
This includes the arrest of a suspected LockBit developer in France while on holiday outside Russia, two individuals in the UK who allegedly supported the branch, and the administrator of a bulletproof hosting in Spain used by the Europol ransomware group said in the statement.
In connection with this, the authorities released a Russian citizen named Alexander Ryzhankov (aka Beverley, Corbyn_Dallas, G, Guester, and Kotosel) as one of the high-ranking members of the cybercriminal group Evil Corp, while painting him as an affiliate of LockBit. Sanctions were also announced against seven individuals and two organizations associated with the group of electronic criminals.
“The United States, in close coordination with our allies and partners, including through the Ransomware Initiative, will continue to expose and disrupt criminal networks that seek personal gain from the pain and suffering of their victims,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.
Development, part a joint exercise called Operation Cronos, comes nearly eight months after the takeover of LockBit’s online infrastructure. It also follows from the sanctions imposed against Dmitry Yuryevich Khoroshevwhich was discovered by the admin and the person behind the persona “LockBitSupp”.
A total of 16 people who were part of Evil Corp sanctioned UK Also known as Gold Drake and Indrik Spider, the infamous hacker group has been active since 2014, targeting banks and financial institutions with the ultimate goal of stealing user credentials and financial information to facilitate unauthorized fund transfers.
The group responsible for development and distribution Drydex (aka Bugat) malware previously observed deployment LockBit and other strains of ransomware in 2022 to circumvent sanctions introduced in relation to the group in December 2019, including key participants Maxim Yakubets and Igor Turashov.
Ryzhankov was named by the UK’s National Crime Agency (NCA) as Jakubets’ right-hand man in the US Department of Justice (DoJ). accusing it’s about deploying BitPaymer ransomware to victims across the country since at least June 2017.
“Rizhankov used the affiliate name Beverley, made more than 60 LockBit ransomware builds, and attempted to extort at least $100 million in ransom demands from victims,” officials said. “Rizhankov was additionally associated with the alias mx1r and associated with UNC2165 (evolution of actors associated with Evil Corp).”
In addition, Ryzhankov’s brother, Sergei Ryzhankov, who is believed to use the pseudonym “Epokha” on the Internet, is associated with BitPaymeraccording to cybersecurity firm Crowdstrike, which assisted the NCA in the effort.
“During 2024, Indrik Spider gained initial access to several sites via the Fake Browser Update (FBU) malware distribution service,” the report said. noted. “The adversary was last seen deploying LockBit during an incident that occurred in Q2 2024.”
Among those who have been sanctioned are Yakubets’ father Viktor Yakubets and his father-in-law Eduard Benderskyi, a former high-ranking FSB official, underscoring the deep connection between Russian cybercriminal groups and the Kremlin.
“The group was in a privileged position, and some members had close ties to the Russian state,” the NCA notes. said. “Bendersky was a key factor in their relationship with Russian intelligence services, which until 2019 tasked Evil Corp with conducting cyberattacks and espionage operations against NATO allies.”
“Following US sanctions and indictments in December 2019, Bendersky used his extensive influence with the Russian state to protect the group, both by keeping high-ranking members safe and ensuring they were not prosecuted by Russian domestic authorities.”
