A new wave of international law enforcement actions has resulted in four arrests and the dismantling of nine servers associated with the LockBit (also known as Bitwise Spider) ransomware group, dealing a significant blow to the once-prolific financially driven operation.
Among those arrested is a suspected LockBit developer, detained in France while on holiday outside Russia, two individuals in the U.K. accused of supporting an affiliate, and an administrator of a bulletproof hosting service in Spain used by the group, according to a Europol statement.
In addition, authorities identified Russian national Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester, and Kotosel) as a prominent member of the Evil Corp cybercrime group, while also linking him to LockBit as an affiliate. Sanctions have been imposed on seven individuals and two entities tied to the e-crime gang.
“The United States, in close collaboration with our allies and partners, including through the Counter Ransomware Initiative, will continue to expose and disrupt the criminal networks profiting from their victims’ pain and suffering,” said Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence.
This development, part of a joint operation called Operation Cronos, comes nearly eight months after the takedown of LockBit’s online infrastructure. It also follows sanctions imposed on Dmitry Yuryevich Khoroshev, the administrator behind the “LockBitSupp” persona.
The U.K. has sanctioned 16 members of Evil Corp, also known as Gold Drake and Indrik Spider. Active since 2014, the notorious hacking group has targeted banks and financial institutions, aiming to steal credentials and financial data to carry out unauthorized fund transfers.
The group behind the Dridex (aka Bugat) malware, previously known for deploying LockBit and other ransomware strains in 2022, has been using these tactics to circumvent sanctions imposed on key members, including Maksim Yakubets and Igor Turashev, in December 2019.
Aleksandr Ryzhenkov, identified as Yakubets’ right-hand man by the U.K. National Crime Agency (NCA), has been accused by the U.S. Department of Justice (DoJ) of deploying BitPaymer ransomware to target victims across the country since at least June 2017.
“Using the affiliate name Beverley, Ryzhenkov created over 60 LockBit ransomware builds and sought to extort at least $100 million in ransom demands,” officials reported. He is also linked to the alias mx1r and associated with UNC2165, an offshoot of Evil Corp.
Additionally, his brother Sergey Ryzhenkov, known online as Epoch, has been tied to BitPaymer, according to cybersecurity firm Crowdstrike, which supported the NCA in their investigation.
“Throughout 2024, Indrik Spider gained initial access to multiple organizations via the Fake Browser Update (FBU) malware-distribution service,” the report noted. “The group was last observed deploying LockBit during an incident in Q2 2024.”
Among those sanctioned are Viktor Yakubets, the father of Maksim Yakubets, and Eduard Benderskiy, his father-in-law and a former high-ranking FSB official. This highlights the deep ties between Russian cybercrime groups and the Kremlin.
“The group held a privileged position, with some members maintaining close connections to the Russian state,” stated the NCA. “Benderskiy played a pivotal role in facilitating their relationship with Russian intelligence, which, prior to 2019, tasked Evil Corp with conducting cyberattacks and espionage against NATO allies.”
“Following the U.S. sanctions and indictments in December 2019, Benderskiy leveraged his considerable influence within the Russian state to shield the group, providing security for senior members and ensuring they were not targeted by Russian authorities.”
