Share this article on:
LockBit 3.0 has taken another critical blow after global law enforcement agencies announced overnight that four more individuals connected to the ransomware gang had been arrested as part of Operation Cronos.
Yesterday (1 October), global law enforcement, led by the UK National Crime Agency (NCA), the FBI, and Europol, resurrected the LockBit site it seized and took down back in February and teased new arrests and other announcements with countdown timers.
🚨 LockBit power cut🔌✂️
Four new arrests and financial sanctions against affiliates
More in our press release ➡️ https://t.co/ZzT9rpAhd1 pic.twitter.com/L6AtMYQLXg— Europol (@Europol) October 1, 2024========================
Now, law enforcement has announced that four arrests were made, with a major gang developer arrested at the request of French authorities, two suspected affiliates by the NCA, and an administrator of the hosting service LockBit used, Bulletproof, by the Spanish Guardia Civil.
“Once again, we thank Dmitry Khoroshev a.k.a LockBitSupp for allowing us to compromise his platform and discover all this juicy data (it’s keeping our teams busy!),” said the NCA.
As a result of the latter arrest, the Guardia Civil also seized “nine relevant servers of LockBit infrastructure”, which it said would lead to further action.
“Relevant information to prosecute core members and affiliates of the ransomware group was obtained and is currently being analysed,” said the Spanish agency.
Arguably, the most notable, the NCA revealed the identity of a major LockBit affiliate associated with major cyber crime network Evil Corp.
“Aleksandr Ryzhenkov DOB 26/05/1993 has been unmasked by the NCA as the specific member of Evil Corp who is a LockBit affiliate,” said the FBI.
“Ryzhenkov used the affiliate name Beverley, made over 60 LockBit ransomware builds and sought to extort at least [US]$100 million from victims in ransom demands. Ryzhenkov additionally has been linked to the alias mx1r and associated with UNC2165 (an evolution of Evil Corp affiliated actors).”
In May we revealed LockBitsUpp, leader of the LockBit ransomware group, as Dmitry Khoroshev. Today, we can also identify one of his affiliates (known as Beverley) as Aleksandr Ryzhenkov, Russian national and key member of cyber criminal group, Evil Corp. pic.twitter.com/SW524RhtiR
— National Crime Agency (NCA) (@NCA_UK) October 1, 2024
Ryzhenkov is also believed to be the right-hand man of Maksim Yakubets, Evil Corp’s founder and leader, better known as Aqua. Yakubets currently has a US$5 million bounty for his arrest.
For their involvement in the cyber gang, 16 Evil Corp members, including Rhyzenkov, have had sanctions imposed on them by the UK. The US imposed seven and Australia imposed three, with both countries placing sanctions on Ryzhenkov.
Additionally, the US Department of Justice (US DOJ) imposed a sanction on Ryzhenkov for “using the BitPaymer ransomware variant to attack numerous victims in Texas and throughout the United States and hold their sensitive data for ransom”.
BitPaymer is a ransomware variant used by Ryzhenkov and other threat actors to encrypt files on accessed devices.
Having tracked Evil Corp since 2010, major cyber security firm CrowdStrike said it worked with global law enforcement and provided critical threat intelligence and analysis “in support” of the latest announcements.
“CrowdStrike Counter Adversary Operations has tracked INDRIK SPIDER (aka Evil Corp) since 2010. Throughout its tenure, the adversary has developed the Dridex banking Trojan and several ransomware variants, including BitPaymer and WastedLocker,” it said.
According to the US DOJ, Ryzhenkov would gain unauthorised access to victim devices before deploying BitPaymer. He would then leave a digital ransomware note that contained a ransom demand as well as instructions on how to contact the threat group and pay the ransom.
“The Justice Department is using all the tools at its disposal to attack the ransomware threat from every angle,” said Deputy Attorney-General Lisa Monaco.
“Today’s charges against Ryzhenkov detail how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransom.
“With law enforcement partners here and around the world, we will continue to put victims first and show these criminals that, in the end, they will be the ones paying for their crimes.”
LockBit’s reactivated seized leak site will once again be taken down by law enforcement in under a week.
The latest activity was achieved thanks to collaboration between law enforcement agencies from Australia, the US, the UK, Canada, France, Germany, Spain, Sweden, Japan, Switzerland, Romania, and the Netherlands, alongside the European Union Agency for Criminal Justice Cooperation (Eurojust).
LockBit’s dark web leak site was first seized in February this year, with law enforcement taking over the group’s administration environment, arresting two individuals and indicting five others.
Like the latest activity, Operation Cronos agencies announced this activity on LockBit’s own site.