Police unmask Aleksandr Ryzhenkov as Evil Corp member and LockBit affiliate

Avatar

Western authorities on Tuesday named Russian national Aleksandr Ryzhenkov as one of the main members of the Evil Corp cybercrime group, as well as identifying him as an affiliate of the LockBit group. The U.S. also charged him with using BitPaymer ransomware.

It comes as multiple arrests are announced in connection to the LockBit scheme, including two suspected money launderers in the United Kingdom and a suspected LockBit developer in France. A man suspected of owning a “bulletproof hosting” company has also been arrested in Spain.

“Aleksandr Ryzhenkov extorted victim businesses throughout the United States by encrypting their confidential information and holding it for ransom,” said Nicole Argentieri, head of the DOJ’s Criminal Division.

“Addressing the threat from ransomware groups is one of the Criminal Division’s highest priorities. The coordinated actions announced today demonstrate, yet again, that the Justice Department is committed to working with its partners to take an all-tools approach to protecting victims and holding cybercriminals accountable.”

At the same time as identifying Ryzhenkov as one of LockBit’s affiliates, authorities in the U.S., U.K. and Australia also published a paper detailing his role in the Evil Corp gang, alongside that of Eduard Benderskiy, a former Russian intelligence official who has been protecting the hackers from Russia’s internal authorities.

Read More: Eduard Benderskiy: Western authorities link Russian intelligence officer to Evil Corp cybercrime empire

The LockBit announcements are the latest tranches of information to be made public following a law enforcement operation that seized the ransomware group’s infrastructure earlier this year. Although the LockBit platform is continuing to operate, law enforcement officials believe it is doing so at a dramatically reduced capacity, with many of the service’s most capable affiliates now using alternatives.

Numerous “victims” listed on the gang’s darknet site are cited as evidence that things are not quite what they seem for the gang. Several are said to be old compromises being reposted, while others are either fake or misattributed attacks claiming to have impacted a large enterprise when in fact they had only affected a very small subsidiary.

When the LockBit seizure initially took place, the NCA said it had “gained unprecedented and comprehensive access to LockBit’s systems” offering a trove of material for intelligence purposes.

A week of revelations subsequently appeared on the site, each of them trailered beneath a countdown, including claims that LockBit did not delete data even when it had pledged to victims to do so.

According to the NCA’s announcement this Tuesday, none of LockBit’s victim data from 2023 was deleted. According to the agency’s analysis of the source code used in the LockBit system, it was even written to actually delete the data, but always provided the gang with the opportunity to keep it without informing either the affiliate or the victim.

In May of this year, the NCA again resurrected the LockBit site to identify the group’s leader as a 31-year-old Russian national called Dmitry Khoroshev.

Khoroshev was charged in a 26-count indictment and accused of growing LockBit “into a massive criminal organization that has, at times, ranked as the most prolific and destructive ransomware group in the world.”

James Babbage, the NCA’s director general for threats, said: “The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time.

“These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.

“Since we supported US action against Evil Corp in 2019, members have amended their tactics and the harms attributed to the group have reduced significantly. We expect these new designations to also disrupt their ongoing criminal activity,” said Babbage.

“Ransomware is the most significant cybercrime threat facing the UK and the world. The NCA is dedicated to working with our partners in the UK and overseas, sharing intelligence and working to disrupt the most sophisticated and harmful ransomware groups, no matter where they are or how long it takes.”

CybercrimeNewsPeopleNation-state
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

5 Actionable Steps to Prevent GenAI Data Leaks Without Fully Blocking AI Usage

Next Post

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

Related Posts

Gamers Tricked Into Downloading Lua-Based Malware via Fake Cheating Script Engines

Users searching for game cheats are being tricked into downloading a Lua-based malware that is capable of establishing persistence on infected systems and delivering additional payloads. "These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community," Morphisec researcher Shmuel Uzan said in a new report published today, adding "this malware
Avatar
Read More