Further Evil Corp Cyber Criminals Exposed Following NCA Investigation
The National Crime Agency (NCA), in collaboration with the U.S. and Australian governments, has once again shone a spotlight on the notorious cybercrime group Evil Corp. Following an extensive investigation, the NCA has uncovered additional members of this criminal organization, with one key figure now identified as a LockBit affiliate. This discovery comes as the UK, U.S., and Australia impose sanctions on 16 members of Evil Corp, further limiting their ability to conduct operations.
Evil Corp's Evolution into Ransomware
Once considered the most significant cybercrime threat globally, Evil Corp has expanded from its roots in Moscow as a family-operated financial crime syndicate into a sprawling international cybercriminal organization. Known for their use of ransomware to extort more than $300 million from businesses and individuals around the world, Evil Corp’s impact is vast and widespread.
The head of the group, Maksim Yakubets, along with several other members, was sanctioned by the U.S. in 2019. Now, these individuals are facing sanctions in the UK, imposed by the Foreign, Commonwealth and Development Office (FCDO). In addition to Yakubets, eight individuals previously sanctioned in the U.S. have been sanctioned by the UK, with seven more now unmasked and linked to the group’s operations.
https://www.nationalcrimeagency.gov.uk/who-we-are/publications/732-evil-corp-behind-the-screens/file
The Role of Aleksandr Ryzhenkov and LockBit Affiliation
Perhaps the most significant new revelation in this ongoing investigation is the role of Aleksandr Ryzhenkov, a key figure within Evil Corp and Yakubets' right-hand man. Ryzhenkov has been identified as an affiliate of LockBit, one of the most successful and widely used ransomware-as-a-service (RaaS) models in the world today. His affiliation with LockBit, exposed as part of Operation Cronos, has shed new light on Evil Corp's continued ability to collaborate with and adapt to emerging ransomware platforms.
Operation Cronos is an ongoing, international effort led by the NCA, aimed at disrupting Evil Corp's operations. By sharing intelligence with law enforcement agencies across the globe, the NCA and its partners remain committed to dismantling ransomware groups and ensuring they are held accountable.
LockBit and its Relationship to Evil Corp
While Evil Corp is known for creating its own malware, such as Dridex and BitPaymer, they have adapted to evade sanctions and law enforcement by shifting some operations to utilize ransomware-as-a-service (RaaS) models. Specifically, Aleksandr Ryzhenkov, a high-ranking member of Evil Corp, began using LockBit RaaS around 2022 to carry out the group's extortion campaigns. This strategy allows Evil Corp to profit from ransomware attacks while distancing itself from the development and distribution of the ransomware itself.
LockBit, one of the most successful and widely used RaaS platforms, is known for its sophistication and effectiveness. Using LockBit allows Evil Corp to target high-earning organizations and demand massive ransoms without directly developing their own tools.
International law enforcement agencies, including the National Crime Agency (NCA), are actively working to disrupt both Evil Corp and LockBit through Operation Cronos. These efforts have resulted in:
- Sanctions against Ryzhenkov and other Evil Corp members in the UK, US, and Australia in 2024.
- An indictment against Ryzhenkov in the US for using BitPaymer ransomware.
- Arrests of individuals associated with LockBit in the UK, France, and Spain in August 2024.
Despite these crackdowns, both Evil Corp and LockBit remain significant threats in the cybercrime world, highlighting the challenges of combating ransomware-as-a-service models.
Global Sanctions and Their Impact
The sanctions imposed on Evil Corp members by the UK, U.S., and Australian governments represent a united front against the group’s criminal activities. These sanctions not only freeze assets but also prevent individuals and organizations from interacting with those associated with Evil Corp. The goal is to disrupt the group’s financial and operational capabilities, forcing them into a defensive position and limiting their ability to carry out future cyberattacks.
The following individuals have been exposed and sanctioned in this latest wave:
- Maksim Yakubets – Leader of Evil Corp
- Igor Turashev – Administrator and key facilitator of Dridex malware
- Aleksandr Ryzhenkov – Identified as a LockBit affiliate
- Eduard Benderskiy – Financial facilitator and father-in-law of Yakubets
- Artem Yakubets – Brother of Maksim Yakubets and Evil Corp/Dridex administrator
- Denis Gusev – Senior financial facilitator responsible for managing money laundering operations
- Vadim Pogodin – Evil Corp malware developer
The exposure of these additional members marks a turning point in the ongoing efforts to dismantle the group. With 16 members now sanctioned, law enforcement agencies are intensifying their pursuit of Evil Corp, aiming to disrupt the infrastructure that enables the group's ransomware attacks.
Here are some strategies Evil Corp uses to maintain its operations despite international sanctions and indictments:
- Adapting tactics and rebuilding after sanctions: Following the sanctions and indictments in 2019, Evil Corp faced disruptions to its operations. As a result, the group has been rebuilding, changing tactics, and taking measures to hide its activity from law enforcement. This includes members going underground, abandoning online accounts, and restricting their movements.
- Shifting from volume to high-earning targets: Instead of volume attacks, Evil Corp has shifted its focus to targeting high-earning organizations.
- Developing new malware and ransomware strains: Evil Corp continues to create new malware and ransomware strains to adapt and stay ahead of law enforcement. For example, they developed WastedLocker, Hades, PhoenixLocker, PayloadBIN, and Macaw.
- Using ransomware-as-a-service (RaaS): Some Evil Corp members have shifted away from using their tools. Instead, they utilize ransomware strains developed by other cybercrime groups, like LockBit. This allows them to distance themselves from the development and distribution of the ransomware while profiting from its use.
- Leveraging relationships with the Russian state: Evil Corp has ties to the Russian state, with Eduard Benderskiy, a former high-ranking FSB official and father-in-law of Maksim Yakubets, playing a key role. Benderskiy has used his influence to protect the group from Russian authorities and provide security for its senior members.
- Maintaining a decentralized structure: Evil Corp operates as a sprawling international cybercriminal organization, making it more difficult for law enforcement agencies to dismantle.
These strategies highlight Evil Corp's resilience and adaptability in the face of international pressure. By evolving its tactics, leveraging its connections, and exploiting the decentralized nature of cybercrime, the group has managed to remain a persistent threat despite ongoing efforts to curb its activities.
U.S. Treasury Designations and Sanctions Against Evil Corp Members
As the U.S. Treasury continues to pursue and sanction members of Evil Corp, it's critical to recognize the intricate network of people and businesses involved. These sanctions have targeted key players, financial facilitators, and affiliated entities designed to obfuscate the group's illicit operations. Below is an overview of notable sanctioned individuals and their roles within Evil Corp:
- Maksim Viktorovich Yakubets (Leader)
The mastermind behind Evil Corp, Maksim Yakubets is responsible for leading the organization's extensive cyber operations. He plays a pivotal role in overseeing malware development, particularly Dridex and BitPaymer, and has strong ties to other affiliates that enable the group's financial operations. - Igor Turashev (Administrator)
Turashev, a close associate of Yakubets, operates as the administrator for the group and is believed to have been instrumental in the development and deployment of the Dridex malware. He oversees various entities owned or controlled by Evil Corp, including several financial fronts used for laundering money. - Eduard Vitalyevich Benderskiy (Yakubets’ Father-in-Law)
Benderskiy plays a significant role in facilitating Evil Corp's financial dealings. He owns and controls Solar-Invest LLC and Vympel-Assistance LLC, both of which are believed to help funnel money to Evil Corp's top brass. - Artem Viktorovich Yakubets (Brother)
Artem Yakubets has been identified as a key administrator for Dridex operations and works closely with Maksim Yakubets in leading the organization’s day-to-day operations. - Denis Gusev (Sr. Financial Facilitator)
Gusev is a senior member responsible for handling financial operations within Evil Corp. He owns or controls entities like Biznes-Stolitsa and Optima, which are pivotal in facilitating the movement of funds from ransomware operations. - Key Financial Facilitators
A network of facilitators ensures the successful laundering of proceeds from Evil Corp’s cybercrime activities. These include:These individuals, often acting as frontmen for shell companies, are integral to the group's ability to transfer and obfuscate the origins of illicit funds.- Carlos Alvares
- Aleksei Bashlikov
- Gulsara Burkhanova
- David Guberman
- Georgios Manidis
- Azamat Safarov
- Tatiana Shevchuk
- Ruslan Zamulko
- Evil Corp/Malware Developers and Support
The technical development of malware like Dridex and WastedLocker is supported by a dedicated team, which includes:These individuals are responsible for developing and maintaining the malware infrastructure that has allowed Evil Corp to conduct some of the most devastating ransomware attacks in recent history.- Vadim Pogodin
- Beyat Ramazonov
- Aleksandr Ryzhenkov (who also used LockBit as Evil Corp's RaaS of choice)
- Sergei Ryzhenkov (Aleksandr’s brother)
- Aleksey Shchetinin
Evil Corp’s Global Impact
The sanctions imposed by the U.S. Treasury under Executive Orders 13694 and 14024 have aimed to disrupt the global operations of Evil Corp, but the group has proven resilient, adapting through new malware strains and evolving ransomware tactics. By leveraging business entities and shell corporations across multiple jurisdictions, Evil Corp has been able to maintain a robust and decentralized operation that spans the globe.
Given the scale and persistence of Evil Corp’s activities, international law enforcement agencies continue to collaborate in efforts to dismantle this organization. However, the structure of Evil Corp allows them to rapidly pivot, evolving both their financial and operational strategies to stay one step ahead of authorities.
Ransomware continues to be one of the most significant threats to global cybersecurity. The collaborative efforts of the NCA, FBI, Australian Federal Police, and other international agencies demonstrate the need for a unified response to this evolving threat. Through intelligence sharing and operational cooperation, law enforcement is working to dismantle the infrastructure supporting these criminal organizations.
As the investigation into Evil Corp and its affiliates continues, these sanctions serve as a critical step in curbing the group's global influence and minimizing their ability to carry out further attacks. Law enforcement agencies across the world remain steadfast in their mission to bring these cybercriminals to justice, no matter how long it takes.
For more information on the NCA’s ongoing efforts to combat cybercrime and ransomware, visit this link.
Evil Corp Timeline:
2009:
- Maksim Yakubets forms the Jabber Zeus Crew, deploying the Jabber Zeus banking trojan.
2010:
- Law enforcement action leads to arrests within the Jabber Zeus Crew.
2011:
- Yakubets, Igor Turashev, and Aleksandr Ryzhenkov form The Business Club.
- The Business Club releases the GameOver Zeus banking trojan.
2014:
- Law enforcement dismantles GameOver Zeus.
- The Business Club evolves into Evil Corp.
2017:
- Evil Corp develops and deploys Dridex banking malware.
- Evil Corp releases BitPaymer ransomware.
2019:
- The US indicts and sanctions Yakubets, Turashev, and other Evil Corp members.
- Turashev splits from Evil Corp to create the DoppelPaymer ransomware.
- Viktor Yakubets (Maksim's father) and Eduard Benderskiy (Maksim's father-in-law and former FSB official) leverage Russian state connections to shield Evil Corp.
2020:
- Evil Corp releases WastedLocker ransomware, targeting large corporations.
2021-2022:
- Evil Corp releases new malware strains: Hades, PhoenixLocker, PayloadBIN, and Macaw.
2022:
- Ryzhenkov begins using LockBit RaaS for Evil Corp operations.
2024:
- The UK, US, and Australia impose sanctions on 16 Evil Corp members, including Ryzhenkov.
- The US unseals an indictment against Ryzhenkov for using BitPaymer ransomware.
- Operation Cronos, led by the NCA, continues to disrupt Evil Corp and LockBit.
- Arrests related to LockBit are made in the UK, France, and Spain.
Evil Corp Cast of Characters:
Maksim Yakubets:
- Role: Leader of Evil Corp.
- Bio: A prolific cybercriminal responsible for masterminding Evil Corp's operations, including malware development (Dridex, BitPaymer) and overseeing ransomware attacks.
Igor Turashev:
- Role: Former Administrator of Evil Corp, creator of DoppelPaymer.
- Bio: A close associate of Yakubets and key figure in the development and deployment of Dridex. Left Evil Corp to establish his own ransomware operation.
Aleksandr Ryzhenkov:
- Role: Key member of Evil Corp, LockBit affiliate.
- Bio: Yakubets' right-hand man, trusted with developing potent ransomware strains and later adopting LockBit RaaS for Evil Corp’s operations.
Eduard Benderskiy:
- Role: Financial facilitator, father-in-law of Yakubets.
- Bio: Former high-ranking FSB official, leveraging connections to shield Evil Corp from Russian authorities and facilitating their financial activities.
Viktor Yakubets:
- Role: Facilitator, father of Maksim Yakubets.
- Bio: Works with Benderskiy to protect Evil Corp from Russian authorities.
Artem Yakubets:
- Role: Administrator for Dridex operations, brother of Maksim Yakubets.
- Bio: Works closely with Maksim Yakubets in managing Evil Corp's day-to-day operations, particularly those involving Dridex.
Denis Gusev:
- Role: Senior financial facilitator.
- Bio: Manages money laundering operations for Evil Corp.
Vadim Pogodin:
- Role: Malware developer.
- Bio: Part of the technical team responsible for developing and maintaining Evil Corp's malware.
Other Key Financial Facilitators:
- Carlos Alvares
- Aleksei Bashlikov
- Gulsara Burkhanova
- David Guberman
- Georgios Manidis
- Azamat Safarov
- Tatiana Shevchuk
- Ruslan Zamulko
Other Malware Developers and Support:
- Beyat Ramazonov
- Sergei Ryzhenkov (Aleksandr’s brother)
- Aleksey Shchetinin
Law Enforcement:
- National Crime Agency (NCA): Leads Operation Cronos, targeting Evil Corp and LockBit.
- Federal Bureau of Investigation (FBI): Collaborates with the NCA in investigating and disrupting Evil Corp.
- Australian Federal Police (AFP): Partners with the NCA and FBI in combating Evil Corp's global operations.
Evil Corp: Behind the Screens – The Evolution of a Cybercrime Empire
The recent release of the joint paper titled “Evil Corp: Behind the Screens” by the National Crime Agency (NCA), Federal Bureau of Investigation (FBI), and Australian Federal Police (AFP) offers a detailed and eye-opening look into one of the most notorious cybercriminal organizations to date: Evil Corp. This blog will explore the journey of Evil Corp, its origins, and the key figures behind its operations, along with the impact they’ve had on global cybersecurity.
The Formation of Jabber Zeus Crew (2009)
The story begins in 2009 when Marksim Yakubets, a prolific cybercriminal, formed the Jabber Zeus Crew. This group quickly became infamous for its use of the Jabber Zeus malware, a sophisticated banking trojan that allowed them to steal millions of dollars from financial institutions globally. Their operations were significantly disruptive, prompting law enforcement to intervene.
In 2010, just a year after its formation, members of the Jabber Zeus Crew faced their first major law enforcement action, resulting in arrests. However, this was only the beginning of the saga.
The Business Club Emerges (2011)
After the downfall of Jabber Zeus, Yakubets, along with Igor Turashev and Aleksandr Ryzhenkov, regrouped and formed a new entity known as The Business Club in 2011. The trio wasn't deterred by earlier setbacks. Instead, they developed and deployed one of the most destructive banking trojans in history: GameOverZeus.
GameOverZeus infected millions of computers globally and facilitated extensive financial theft. Its success made it one of the most lucrative malware operations at the time, solidifying the group’s reputation in the cybercriminal underground. But by 2014, law enforcement agencies mounted a coordinated effort to take down GameOverZeus, which marked another significant blow to the group’s activities.
The Birth of Evil Corp (2014)
In the wake of GameOverZeus’ takedown, Evil Corp was born. This new venture saw the trio pivot their focus to creating even more potent forms of malware. In 2017, Evil Corp developed and deployed Dridex, a highly advanced banking malware that targeted businesses and financial institutions, stealing credentials and draining accounts. Around the same time, they also created BitPaymer, a ransomware variant that extorted organizations for large sums of money.
Evil Corp's influence on the cybercriminal landscape grew exponentially as these tools enabled them to operate on a global scale, causing immense financial damage to both businesses and individuals.
The Split and Further Innovations (2019 - 2021)
In 2019, tensions within the group led to a significant split. Igor Turashev branched off to create the DoppelPaymer ransomware, which continued to wreak havoc across various industries. Despite the internal division, Evil Corp’s operations did not slow down.
By 2020, they released WastedLocker, a ransomware tool that specifically targeted large corporations, demanding multimillion-dollar ransoms in exchange for restoring access to encrypted files. Following this, between 2021 and 2022, Evil Corp expanded their arsenal with the release of several new strains of malware, including:
- Hades
- PhoenixLocker
- PayloadBIN
- Macaw
These new ransomware variants further cemented their standing as one of the most prolific cybercriminal organizations in the world.
A New Strategy: LockBit (2022 - Present)
By 2022, Evil Corp had made another notable shift in their operations. Aleksandr Ryzhenkov, one of the key members of the group, began using the LockBit ransomware as a service (RaaS) to continue their criminal enterprise. LockBit became the tool of choice for their extortion campaigns, allowing them to continue demanding massive ransoms from their victims.
This evolution highlights how Evil Corp has adapted over time, leveraging the latest technologies and trends in cybercrime to stay ahead of law enforcement efforts.
Ongoing International Crackdowns (2024)
Fast forward to 2024, and Evil Corp’s reign is still a major focus of international law enforcement agencies. The group continues to face sanctions and indictments, and global efforts are intensifying to dismantle their operations once and for all. Despite these efforts, Evil Corp remains a powerful entity in the cybercrime world, constantly evolving to evade capture and continue their malicious activities.
Conclusion
The paper “Evil Corp: Behind the Screens” offers an unprecedented view into the inner workings of Evil Corp and its transformation over the years. From their early days with Jabber Zeus to the creation of sophisticated ransomware variants, they’ve shown a relentless drive to innovate in the world of cybercrime. As we move forward, it remains critical that international law enforcement agencies stay vigilant and proactive in addressing the ever-evolving threats posed by groups like Evil Corp.
As always, staying informed about the latest cyber threats is essential for businesses and individuals alike. Keep your systems updated, invest in robust cybersecurity solutions, and remain aware of the tactics used by groups like Evil Corp.