Police unmask Aleksandr Ryzhenkov as Evil Corp member and LockBit affiliate

Western authorities on Tuesday named Russian national Aleksandr Ryzhenkov as one of the main members of the Evil Corp cybercrime group, as well as identifying him as an affiliate of the LockBit group. The U.S. also charged him with using BitPaymer ransomware.

It comes as multiple arrests are announced in connection to the LockBit scheme, including two suspected money launderers in the United Kingdom and a suspected LockBit developer in France. A man suspected of owning a “bulletproof hosting” company has also been arrested in Spain.

“Aleksandr Ryzhenkov extorted victim businesses throughout the United States by encrypting their confidential information and holding it for ransom,” said Nicole Argentieri, head of the DOJ’s Criminal Division.

“Addressing the threat from ransomware groups is one of the Criminal Division’s highest priorities. The coordinated actions announced today demonstrate, yet again, that the Justice Department is committed to working with its partners to take an all-tools approach to protecting victims and holding cybercriminals accountable.”

At the same time as identifying Ryzhenkov as one of LockBit’s affiliates, authorities in the U.S., U.K. and Australia also published a paper detailing his role in the Evil Corp gang, alongside that of Eduard Benderskiy, a former Russian intelligence official who has been protecting the hackers from Russia’s internal authorities.

Read More: Eduard Benderskiy: Western authorities link Russian intelligence officer to Evil Corp cybercrime empire

The three countries also announced a range of new individuals would be listed on their financial sanctions regimes, including another 16 in the United Kingdom — 15 of whom were associated with Evil Corp — with the U.S. Treasury designating seven individuals and two entities, and the Australians sanctioning three individuals.

“Today’s trilateral action underscores our collective commitment to safeguard against cybercriminals like ransomware actors, who seek to undermine our critical infrastructure and threaten our citizens,” said the U.S. Treasury’s Bradley Smith.

The LockBit announcements are the latest tranches of information to be made public following a law enforcement operation that seized the ransomware group’s infrastructure earlier this year. Although the LockBit platform is continuing to operate, law enforcement officials believe it is doing so at a dramatically reduced capacity, with many of the service’s most capable affiliates now using alternatives.

Numerous “victims” listed on the gang’s darknet site are cited as evidence that things are not quite what they seem for the gang. Several are said to be old compromises being reposted, while others are either fake or misattributed attacks allegedly impacting a large enterprise when in fact they had only affected a very small subsidiary.

When the LockBit seizure initially took place, the NCA said it had “gained unprecedented and comprehensive access to LockBit’s systems” offering a trove of material for intelligence purposes.

A week of revelations subsequently appeared on the site, each of them trailered beneath a countdown, including claims that LockBit did not delete data even when it had pledged to victims to do so.

According to the NCA’s announcement this Tuesday, none of LockBit’s victim data from 2023 was deleted. According to the agency’s analysis of the source code used in the LockBit system, it was even written to actually delete the data, but always provided the gang with the opportunity to keep it without informing either the affiliate or the victim.

In May of this year, the NCA again resurrected the LockBit site to identify the group’s leader as a 31-year-old Russian national called Dmitry Khoroshev.

Khoroshev was charged in a 26-count indictment and accused of growing LockBit “into a massive criminal organization that has, at times, ranked as the most prolific and destructive ransomware group in the world.”

James Babbage, the NCA’s director general for threats, said: “The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time.

“These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.

“Since we supported US action against Evil Corp in 2019, members have amended their tactics and the harms attributed to the group have reduced significantly. We expect these new designations to also disrupt their ongoing criminal activity,” said Babbage.

“Ransomware is the most significant cybercrime threat facing the UK and the world. The NCA is dedicated to working with our partners in the UK and overseas, sharing intelligence and working to disrupt the most sophisticated and harmful ransomware groups, no matter where they are or how long it takes.”