NCA unmasks man it suspects is both 'Evil Corp kingpin' and LockBit affiliate
Aleksandr Ryzhenkov alleged to have extorted around $100M from victims, built 60 LockBit attacks
The latest installment of the National Crime Agency's (NCA) series of ransomware revelations from February's LockBit Leak Week emerges today as the agency identifies a man it not only believes is a member of the long-running Evil Corp crime group but also a LockBit affiliate.
The NCA claimed Aleksandr Ryzhenkov is a high-ranking Evil Corp member – and also alleged he is the LockBit affiliate who has been known as "Beverley" since at least 2022. The revelation is the first-of-its-kind about a known crossover between the two Russian gangs.
The unmasking of Ryzhenkov follows the unveiling of the 194 total affiliates – the cronies that actually carry out ransomware attacks using the brand's name – registered with LockBit at the time of the disruption in February.
Cops finally unmask 'LockBit kingpin' after two-month tease
READ MOREThe disruption came to be known around these parts as LockBit Leak Week, since insights about the group were drip-fed to the public over the course of a week, using the ransomware gang's own website to do it. The same website was revived to reveal this week's fresh batch of intel.
The 194 affiliates were only registered using the moniker assigned to them by LockBit. Cops who revealed that list believe the affiliate who went by "Beverley" to be Ryzhenkov.
From left, a young Dmitry Smirnov and Aleksandr Ryzhenkov, whom the NCA alleges are both core Evil Corp members, cuddle up with a baby cheetah. Picture provided by the NCA – click to enlarge
The law enforcement group also said it believes Ryzhenkov is one of Evil Corp leader Maksim Yakubets' closest professional allies and personal friends. The pair are known to frequently socialize together with their wives; they attended each other's weddings and have vacationed together in the past too.
They've also – at least according to the crime agency – worked together as leading organized cybercriminals since at least 2011.
Ryzhenkov is said to have been active as a LockBit affiliate for around two years, and in that time he built 60 attacks using LockBit's tools, the NCA claimed, which altogether led to attempted extortion demands totaling $100 million in Bitcoin.
While the evidence leading to Ryzhenkov's identification is unknown, it's understood that the authorities believe they have ample financial and technical proof to link him to Evil Corp.
The NCA claimed that, together, Ryzhenkov and Yakubets form two key parts of one of the most successful groups of its kind, which has raked in hundreds of millions of dollars since first spinning up ten years ago, although the group's lineage dates back to 2009.
Yakubets was believed to be involved with the Jabber Zeus crew, distributing the eponymous bank-draining malware until it was disrupted in 2010, with some alleged crew members arrested.
- Deja blues... LockBit boasts once again of ransoming IRS-authorized eFile.com
- RansomHub hits 210 victims in just 6 months
- Five months after takedown, LockBit is a shadow of its former self
- 'LockBit of phishing' EvilProxy used in more than a million attacks every month
The following year, Yakubets is said to have formed The Business Club with Ryzhenkov and Igor Turashev, who you may know from being rapped in 2019 for his alleged role as a sysadmin in Yakubets' various criminal endeavors, including the creation and distribution of the Dridex and Gameover Zeus malware strains.
According to police, the trio went on to form Evil Corp in 2014. In addition to being known as the force behind the Dridex malware, they began experimenting with ransomware in 2017, namely with the BitPaymer variant, before going on to use various others in the following years. One of those we now know is LockBit.
During its rise to infamy, Evil Corp worked its way up into a highly privileged position in the Russian government. The relationship between the criminal gang and the Russian security services is thought to be extraordinarily close, which was also revealed in a far greater extent today courtesy of the NCA.
That's a whole other story, though, which will appear on The Register later today.
It's understood that the NCA's work on Evil Corp hasn't stopped since the disruption and sanctions storm in 2019, which were believed to have significantly hampered its activity since.
The disruption led to reputational damage akin to what February's action against LockBit had, and its infrastructure needed to be rebuilt. The operation was never the same, and some of its members went on to pursue other lines of work, usually all related to malware.
At the time, law enforcement investigators vowed never to give up until the key members were brought to justice, and that ambition persists five years later. ®