Recently, the UK, US, and Australia have named and imposed sanctions on 16 individuals associated with the notorious cybercrime group Evil Corp.

These sanctions follow Operation Cronos earlier in the year, a multinational effort to disrupt LockBit ransomware operations which was spearheaded by the UK's National Crime Agency. 

Evil Corp, known for its destructive cyber-attacks and ransomware activities, has been linked to stealing around $300 million USD over the past decade.

Who are Evil Corp?

Evil Corp are a Russian cybercrime outfit known for a myriad of ransomware campaigns leveraging several different malware packages, including Dridex and BitPaymer. Through various high-profile attacks, they have managed to extort over $300 million USD in ransom payments throughout the group's lifetime.

It has emerged that Evil Corp is a family business. Though allegations had been levied in the past and denied in turn, it has been revealed that immediate and extended family has had involvement in the group's misdeeds. Some have likened their business strategy and hierarchy to a mafia.

Maksim Yakubets, the founder of Evil Corp who also goes by the alias 'Aqua', along with his father Viktor Yakubets, brother Artem, and a slew of cousins and other associates, have recently received sanctions from the governments of the UK, USA and Australia. 

Maksim had been at the top of the CIA's cybercrime most wanted list for a considerable time, and had the highest bounty ever placed for details leading to his arrest. Despite this, Maksim made little effort to go under the radar. He flaunted his wealth, drove a customised Lamborghini, and had a highly-publicised $330,000 USD wedding in 2019. A significant portion of this wealth comes from attacking victims such as hospitals, healthcare providers and crucial national infrastructure.

Russian State Involvement

Maksim's father-in-law, Eduard Bendersky, is a former special forces official of 'Vympel', known particularly for foreign sabotage. Some believe that Evil Corp's ties to the Russian government began here at the family level. In any case, Eduard is an individual with close ties to the Kremlin who was able to facilitate a much more intimate relationship between Evil Corp and the Russian Intelligence Services than is typically seen with other cybercrime organisations.

Before 2019, Evil Corp were even contracted by the Russian state to disrupt and infiltrate NATO members. That year, when the US government placed sanctions on a number of the group's members and froze some of their assets, the ties between Evil Corp and the Russian State were strained, however it is believed that Eduard's influence is what protected the group from internal law enforcement.

Consequences for the Ransomware Industry

Following the sanctions and indictments placed on Evil Corp and its members since 2019, the group have followed a similar trend to others. Chiefly, they have tried to obfuscate their operations and identities by adopting a number of different monikers, the usage of various different ransomware strains, and so on. That is because the sanctions placed on them make it very difficult for them to extort further ransom payments from their victims, so long as their victims are able to identify the group's involvement in their attack.

This does not appear to have worked, however it did cause the group to rethink their strategy. While some members may have ceased their own operations, others eventually became affiliates of the equally-notorious LockBit ransomware group. One in particular, an individual named Aleksandr Ryzhenkov and believed to be Maksim's "right hand man", was identified by the first wave of Operation Cronos as working under the alias "Beverley," and is believed to be personally responsible for over $100 million USD in ransom extortions.

Disruptions to ransomware groups are known to have a lasting effect, as seen after the defacement of LockBit's leaksite by the NCA. Many criminals hope that by working with larger ransomware outfits, they are provided enhanced safety and privacy than by working on their own - as well as access to some highly sophisticated ransomware tools. What these sanctions and operations against these groups show is that nowhere is safe.

Sources

https://www.whiteblueocean.com/newsroom/the-10-most-notorious-hacking-groups-in-recent-history/
https://www.nationalcrimeagency.gov.uk/who-we-are/publications/732-evil-corp-behind-the-screens/file
https://www.nationalcrimeagency.gov.uk/news/further-evil-corp-cyber-criminals-exposed-one-unmasked-as-lockbit-affiliate
https://www.theregister.com/2024/10/01/nca_names_alleged_evil_corp_kingpin/
https://www.rferl.org/a/in-lavish-wedding-photos-clues-to-an-alleged-russian-cyberthief-fsb-family-ties/30320440.html

https://www.nationalcrimeagency.gov.uk/the-nca-announces-the-disruption-of-lockbit-with-operation-cronos

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.