The UK’s National Crime Agency (NCA) has publicly identified a prominent LockBit affiliate as part of its ongoing Operation Cronos, which targets the infamous ransomware gang. This action has established a long-suspected connection between LockBit and the Evil Corp cybercrime organization.
After an exhaustive investigation that began in February, the NCA has confidently identified an individual known as Beverley, whose real name is Aleksandr Ryzhenkov, as a significant figure within the Evil Corp network. Ryzhenkov, who served as a trusted associate to Evil Corp’s notorious leader, Maksim Yakubets, helped develop the WastedLocker ransomware that Evil Corp launched around 2020, following a tumultuous period after a crackdown on the organization in December 2019. According to the NCA, Ryzhenkov has also been affiliated with LockBit since 2022.
Gavin Webb, a senior investigator for Operation Cronos, noted that Dmitry Khoroshev, the administrator of LockBit, had previously dismissed any ties to Evil Corp. “LockBit has consistently claimed they have no connection to Evil Corp, but we’ve demonstrated that they do. One key affiliate [Ryzhenkov] attempted to extort $100 million in Bitcoin and targeted at least 60 victims,” Webb explained. The NCA is continuing its collaboration with partner agencies to further unravel the connections between LockBit affiliates and their activities.
In addition to Ryzhenkov, 16 individuals linked to Evil Corp have been sanctioned in the UK, while the US has filed a new indictment against him. Over the years, Evil Corp is estimated to have extorted around $300 million from victims globally, affecting numerous entities within critical national infrastructure, the health sector, and governmental organizations.
James Babbage, the NCA’s director for threats, commented, “Today’s actions are the result of extensive investigations into two of the most dangerous cybercrime groups to date. These sanctions further reveal members of Evil Corp, including one associated with LockBit, who were vital in enabling their operations. Following our support for US actions against Evil Corp in 2019, its members adapted their strategies, leading to a significant reduction in the harm caused by the group. We anticipate that these new sanctions will disrupt their ongoing criminal endeavors.”
During its investigation, the NCA uncovered further evidence of the connections between Evil Corp and the Kremlin, revealing that Yakubets and his network had sought high-level ties within the Russian government. Notably, his father-in-law, Eduard Benderskiy, a former senior FSB official, facilitated Yakubets’ access to critical state connections. While ties had long been suspected between Yakubets and the government via Benderskiy, the NCA presented new findings indicating that before 2019, Evil Corp was officially assigned to conduct cyberattacks and espionage against NATO countries.
Following the December 2019 indictment of Yakubets in the US, Benderskiy reportedly used his influence to ensure protection for his family members within the Russian government. Both Yakubets and Benderskiy are among those sanctioned today.
The NCA emphasized that the relationship between Yakubets and Benderskiy is uncommon, as most Russian cybercriminals operate primarily for financial gain, albeit receiving some level of indirect protection from the state. UK Foreign Secretary David Lammy stated, “I am personally committed to targeting the Kremlin with all available sanctions. Putin has constructed a corrupt mafia state that centers around him. We must counter this at every opportunity, and today’s actions are just the beginning.”
Regarding the recent takedown of the LockBit operations, the gang notoriously disrupted Royal Mail’s international services for weeks earlier in 2023. Operation Cronos successfully dismantled much of LockBit by not only executing a technical takedown of their infrastructure but also by using their strategies against them—naming and shaming key members, such as Khoroshev.
Earlier this year, the NCA humorously highlighted Khoroshev’s claim of driving a Lamborghini, revealing instead that he owned an aging Mercedes for which he could no longer obtain spare parts due to sanctions. Cybersecurity experts assert that this approach has not only incapacitated the gang but has also humiliated them within their own network. Though there have been attempts at a comeback from some LockBit affiliates, the reputational damage suffered during the crackdown diminished their credibility, leaving them unable to gain support.
While the immediate threat from LockBit persists—eight months later, older versions of their ransomware are still used on new victims—these incidents are typically carried out by less experienced affiliates. The NCA reports that, despite the lingering threat, LockBit is far diminished from its former strength. Webb reiterated, “Our disruptive actions were aimed at hindering not just the group’s functionality but curbing their potential growth.”
Additionally, the NCA has reported recent arrests associated with individuals laundering money for LockBit. Recently, French authorities apprehended a suspected developer, while Spanish authorities took a significant facilitator of LockBit’s operations into custody, resulting in the seizure of nine servers. The NCA has also revived LockBit’s dark web portal, which it commandeered in February, using it to mock the cybercriminals while publishing details about individuals arrested in recent weeks.