Evil Corp Cybercriminals Exposed: UK Sanctions 16 Individuals Linked to Russian State and LockBit

Evil Corp

In a significant move to combat global cybercrime, the United Kingdom has sanctioned 16 individuals associated with Evil Corp, once considered the world’s most notorious cybercrime group. The National Crime Agency (NCA) announced that these sanctions not only target key members of Evil Corp but also expose their links to the Russian state and other prolific ransomware groups, including LockBit.

The UK’s actions are part of a coordinated effort with Australia and the United States. The U.S. Department of Justice has unsealed an indictment against a key member of Evil Corp, and both countries have imposed their own sanctions on the group. An extensive investigation by the NCA has been instrumental in mapping out Evil Corp’s criminal activities, revealing a network that has extorted at least $300 million from global victims across sectors such as healthcare, critical national infrastructure, and government.

Formed officially in 2014 in Moscow, Evil Corp transitioned from a family-centered financial crime group into a cybercrime powerhouse. They were responsible for developing and distributing malware strains like Dridex and BitPaymer, targeting banks and financial institutions in over 40 countries. The group’s close ties to the Russian state, facilitated by key enablers like former high-ranking FSB official Eduard Benderskiy, allowed them to conduct cyber attacks and espionage operations against NATO allies prior to 2019.

The head of Evil Corp, Maksim Yakubets, and one of the group’s administrators, Igor Turashev, were previously indicted in the U.S. in 2019. Today, they have been designated in the UK alongside seven others previously sanctioned by the U.S., and an additional seven individuals whose connections to the group were not previously exposed.

One notable figure is Aleksandr Ryzhenkov, Yakubets’ right-hand man. Ryzhenkov played a crucial role in developing some of Evil Corp’s most effective ransomware strains and has been identified as a LockBit affiliate through Operation Cronos—the NCA-led international disruption of the group. Data analysis from Evil Corp’s own systems revealed Ryzhenkov’s involvement in LockBit ransomware attacks against numerous organizations. The U.S. Department of Justice has also unsealed an indictment charging Ryzhenkov with using BitPaymer ransomware to target victims across the United States.

James Babbage, Director General for Threats at the NCA, emphasized the significance of the coordinated action:

The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time. These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity.

Babbage noted that since the 2019 U.S. actions against Evil Corp, the group’s tactics have changed, and the harms attributed to them have significantly reduced. However, the new designations aim to disrupt any ongoing criminal activities.

Foreign Secretary David Lammy stated:

Today’s sanctions send a clear message to the Kremlin that we will not tolerate Russian cyber-attacks—whether from the state itself or from its cyber-criminal ecosystem.

The 2019 sanctions and indictments caused considerable disruption to Evil Corp, damaging their reputation and operational capabilities. Members were forced to change tactics, with some going underground and abandoning online accounts. The group shifted focus from widespread attacks to targeting high-earning organizations, developing new malware and ransomware strains such as WastedLocker, Hades, PhoenixLocker, PayloadBIN, and Macaw.

Others distanced themselves from creating proprietary tools, opting instead to use ransomware developed by other criminal groups like LockBit. The NCA continues to monitor and track illicit activities conducted by former Evil Corp members, including their involvement in ransomware attacks.

Operation Cronos, the international investigation into LockBit, remains ongoing. The NCA recently announced that their original leak site, now under their control, has gone live again. The site details further actions taken by the Cronos Taskforce, including the arrests by the NCA in August of two individuals believed to be associated with a LockBit affiliate on suspicion of Computer Misuse Act and money laundering offenses.

In the same month, French authorities arrested a suspected LockBit developer, and Spanish police detained a primary facilitator of LockBit infrastructure, seizing nine servers used by the group.

Jonathon Ellison, NCSC Director for National Resilience and Future Technology, applauded the coordinated efforts:

Every day we see ransomware incidents have real-world consequences for UK victims, disrupting key services, damaging businesses’ finances, and putting individuals’ data at risk. I welcome today’s sanctions against Evil Corp-affiliated cyber actors, who have caused harm in the UK and beyond, and strongly support the coordinated steps taken with allies to ensure cybercrime does not pay.

Related Posts: