Lizzie Clark

Evil Corp and LockBit Ties Uncovered in Operation Cronos

In this blog series we spotlight one of the stories from our cybersecurity newsletter, Beacon.

On October 1, 2024, the UK National Crime Agency (NCA) announced sanctions against 16 members of the Russian hacker group Evil Corp, revealing direct links to ransomware group LockBit. This move is part of a coordinated international effort, with Australia and the United States also imposing similar sanctions. These actions are the latest phase of Operation Cronos, a global law enforcement initiative that began in early 2024 and has led to significant disruption of LockBit’s activities.

Evil Corp has been on the radar of law enforcement agencies since its inception in 2014. Known for creating and distributing ransomware like BitPaymer and Dridex, the group has targeted financial institutions, healthcare organizations, and government sectors in over 40 countries, stealing more than $100 million. Over the years, Evil Corp’s activities have extorted more than $300 million from their global victims, making it one of the most prolific cybercrime organizations in the world. Some members of the group are believed to have close ties to the Russian government, further complicating efforts to bring them to justice.

The group’s leader, Maksim Yakubets, and several other high-ranking members, including Igor Turashev, were sanctioned by the U.S. Department of Justice back in 2019. However, the October 1, 2024 announcement by the UK government expands these sanctions, designating seven additional individuals whose involvement in Evil Corp had previously been undisclosed.

David Lammy, UK Foreign Secretary, said: “I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal. Putin has built a corrupt mafia state with himself at the center. We must combat this at every turn, and today’s action is just the beginning.”

One of the key findings of Operation Cronos is the direct link between Evil Corp and LockBit. According to the NCA, several members of Evil Corp, including Yakubets’ right-hand man, Aleksandr Ryzhenkov, are affiliates of LockBit. After the 2019 sanctions disrupted Evil Corp’s operations and damaged their reputation, many members shifted their tactics. Rather than relying on their own tools like WastedLocker, Hades, and PhoenixLocker, they began using LockBit ransomware to continue their extortion efforts. Despite law enforcement efforts, LockBit still continues to launch attacks. In May 2024 alone, 176 ransomware attacks were attributed to LockBit 3.0, according to the NCC Group.

The continued arrests and sanctions of Operation Cronos signal that governments are becoming more aggressive in their efforts to tackle cybercrime and we can expect more action to be taken in coming months.

If you’d like the latest dark web news and insights delivered into your inbox every Thursday at 10am, sign up to the email version of BEACON.