Police unmask Aleksandr Ryzhenkov as Evil Corp member and LockBit affiliate

Avatar

Western authorities on Tuesday named Russian national Aleksandr Ryzhenkov as one of the main members of the Evil Corp cybercrime group, as well as identifying him as an affiliate of the LockBit group. The U.S. also charged him with using BitPaymer ransomware.

It comes as multiple arrests are announced in connection to the LockBit scheme, including two suspected money launderers in the United Kingdom and a suspected LockBit developer in France. A man suspected of owning a “bulletproof hosting” company has also been arrested in Spain.

“Aleksandr Ryzhenkov extorted victim businesses throughout the United States by encrypting their confidential information and holding it for ransom,” said Nicole Argentieri, head of the DOJ’s Criminal Division.

“Addressing the threat from ransomware groups is one of the Criminal Division’s highest priorities. The coordinated actions announced today demonstrate, yet again, that the Justice Department is committed to working with its partners to take an all-tools approach to protecting victims and holding cybercriminals accountable.”

At the same time as identifying Ryzhenkov as one of LockBit’s affiliates, authorities in the U.S., U.K. and Australia also published a paper detailing his role in the Evil Corp gang, alongside that of Eduard Benderskiy, a former Russian intelligence official who has been protecting the hackers from Russia’s internal authorities.

Read More: Eduard Benderskiy: Western authorities link Russian intelligence officer to Evil Corp cybercrime empire

The LockBit announcements are the latest tranches of information to be made public following a law enforcement operation that seized the ransomware group’s infrastructure earlier this year. Although the LockBit platform is continuing to operate, law enforcement officials believe it is doing so at a dramatically reduced capacity, with many of the service’s most capable affiliates now using alternatives.

Numerous “victims” listed on the gang’s darknet site are cited as evidence that things are not quite what they seem for the gang. Several are said to be old compromises being reposted, while others are either fake or misattributed attacks claiming to have impacted a large enterprise when in fact they had only affected a very small subsidiary.

When the LockBit seizure initially took place, the NCA said it had “gained unprecedented and comprehensive access to LockBit’s systems” offering a trove of material for intelligence purposes.

A week of revelations subsequently appeared on the site, each of them trailered beneath a countdown, including claims that LockBit did not delete data even when it had pledged to victims to do so.

According to the NCA’s announcement this Tuesday, none of LockBit’s victim data from 2023 was deleted. According to the agency’s analysis of the source code used in the LockBit system, it was even written to actually delete the data, but always provided the gang with the opportunity to keep it without informing either the affiliate or the victim.

In May of this year, the NCA again resurrected the LockBit site to identify the group’s leader as a 31-year-old Russian national called Dmitry Khoroshev.

Khoroshev was charged in a 26-count indictment and accused of growing LockBit “into a massive criminal organization that has, at times, ranked as the most prolific and destructive ransomware group in the world.”

James Babbage, the NCA’s director general for threats, said: “The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time.

“These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.

“Since we supported US action against Evil Corp in 2019, members have amended their tactics and the harms attributed to the group have reduced significantly. We expect these new designations to also disrupt their ongoing criminal activity,” said Babbage.

“Ransomware is the most significant cybercrime threat facing the UK and the world. The NCA is dedicated to working with our partners in the UK and overseas, sharing intelligence and working to disrupt the most sophisticated and harmful ransomware groups, no matter where they are or how long it takes.”

CybercrimeNewsPeopleNation-state
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

5 Actionable Steps to Prevent GenAI Data Leaks Without Fully Blocking AI Usage

Next Post

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

Related Posts

New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

Cybersecurity researchers have flagged a new ransomware family called Ymir that was deployed in an attack two days after systems were compromised by a stealer malware called RustyStealer. "Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness," Russian cybersecurity vendor Kaspersky said. "Threat actors leveraged an unconventional blend
Avatar
Read More