A series of global law enforcement efforts has resulted in the arrest of four individuals and the dismantling of nine servers associated with the LockBit (aka Bitwise Spider) ransomware operation, signaling a significant blow to the once-prolific financially motivated group.
The latest actions include the apprehension of a suspected LockBit developer in France during a holiday trip outside of Russia, two individuals in the U.K. accused of aiding an affiliate, and a bulletproof hosting service administrator in Spain utilized by the ransomware group, according to a statement from Europol reported.
Synchronously, authorities have exposed a Russian national named Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester, and Kotosel) as a key member of the Evil Corp cybercrime group while also linking him to LockBit. Sanctions have been imposed on seven individuals and two entities connected to the criminal gang.
“Through the Counter Ransomware Initiative, the United States will continue its collaboration with allies to disrupt criminal networks profiting from the suffering of their victims,” stated Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith mentioned.
The developments are part of Operation Cronos, a joint effort that comes nearly eight months after LockBit’s online infrastructure was seized, following sanctions against Dmitry Yuryevich Khoroshev, the administrator known as “LockBitSupp.”
A total of 16 individuals associated with Evil Corp have been subjected to sanctions by the U.K. The group, also known as Gold Drake and Indrik Spider, has been active since 2014, primarily targeting financial institutions to steal user data for unauthorized fund transfers.
The group behind the Dridex malware, responsible for its development and distribution, has been observed deploying LockBit and other ransomware strains in 2022 to circumvent previously imposed sanctions. Key members Maksim Yakubets and Igor Turashev faced sanctions in December 2019.
Ryzhenkov, identified as an affiliate using the alias Beverley, has been accused of deploying BitPaymer ransomware to extort victims since at least June 2017. He has also been linked to the alias mx1r and UNC2165 (an Evil Corp-affiliated group).
Ryzhenkov’s brother Sergey Ryzhenkov, known as Epoch, has been associated with BitPaymer, as per cybersecurity firm Crowdstrike, which aided the NCA in the investigation.
Indrik Spider gained access to entities using the Fake Browser Update (FBU) malware distribution service in 2024, deploying LockBit during an incident in Q2 2024, according to reports revealed.
Among those sanctioned are Yakubets’ father, Viktor Yakubets, and his father-in-law, Eduard Benderskiy, a former high-ranking FSB official, highlighting the close ties between Russian cybercrime groups and the Kremlin.
“Some members had close links to the Russian state,” the NCA mentioned. “Benderskiy facilitated their relationship with the Russian Intelligence Services and provided security to protect the group from investigations.”
“After the 2019 sanctions, Benderskiy used his influence to shield the group from Russian authorities,” they added.
