Evil Corp The New Targets of the National Crime Agency

2024-10-25

Recently, the UK, US, and Australia have named and imposed sanctions on 16 individuals associated with the notorious cybercrime group Evil Corp.

These sanctions follow Operation Cronos earlier in the year, a multinational effort to disrupt LockBit ransomware operations which was spearheaded by the UK's National Crime Agency. 

Evil Corp, known for its destructive cyber-attacks and ransomware activities, has been linked to stealing around $300 million USD over the past decade.

Who are Evil Corp?

Evil Corp are a Russian cybercrime outfit known for a myriad of ransomware campaigns leveraging several different malware packages, including Dridex and BitPaymer. Through various high-profile attacks, they have managed to extort over $300 million USD in ransom payments throughout the group's lifetime.

It has emerged that Evil Corp is a family business. Though allegations had been levied in the past and denied in turn, it has been revealed that immediate and extended family has had involvement in the group's misdeeds. Some have likened their business strategy and hierarchy to a mafia.

Maksim Yakubets, the founder of Evil Corp who also goes by the alias 'Aqua', along with his father Viktor Yakubets, brother Artem, and a slew of cousins and other associates, have recently received sanctions from the governments of the UK, USA and Australia. 

Maksim had been at the top of the CIA's cybercrime most wanted list for a considerable time, and had the highest bounty ever placed for details leading to his arrest. Despite this, Maksim made little effort to go under the radar. He flaunted his wealth, drove a customised Lamborghini, and had a highly-publicised $330,000 USD wedding in 2019. A significant portion of this wealth comes from attacking victims such as hospitals, healthcare providers and crucial national infrastructure.

Russian State Involvement

Maksim's father-in-law, Eduard Bendersky, is a former special forces official of 'Vympel', known particularly for foreign sabotage. Some believe that Evil Corp's ties to the Russian government began here at the family level. In any case, Eduard is an individual with close ties to the Kremlin who was able to facilitate a much more intimate relationship between Evil Corp and the Russian Intelligence Services than is typically seen with other cybercrime organisations.

Before 2019, Evil Corp were even contracted by the Russian state to disrupt and infiltrate NATO members. That year, when the US government placed sanctions on a number of the group's members and froze some of their assets, the ties between Evil Corp and the Russian State were strained, however it is believed that Eduard's influence is what protected the group from internal law enforcement.

Consequences for the Ransomware Industry

Following the sanctions and indictments placed on Evil Corp and its members since 2019, the group have followed a similar trend to others. Chiefly, they have tried to obfuscate their operations and identities by adopting a number of different monikers, the usage of various different ransomware strains, and so on. That is because the sanctions placed on them make it very difficult for them to extort further ransom payments from their victims, so long as their victims are able to identify the group's involvement in their attack.

This does not appear to have worked, however it did cause the group to rethink their strategy. While some members may have ceased their own operations, others eventually became affiliates of the equally-notorious LockBit ransomware group. One in particular, an individual named Aleksandr Ryzhenkov and believed to be Maksim's "right hand man", was identified by the first wave of Operation Cronos as working under the alias "Beverley," and is believed to be personally responsible for over $100 million USD in ransom extortions.

Disruptions to ransomware groups are known to have a lasting effect, as seen after the defacement of LockBit's leaksite by the NCA. Many criminals hope that by working with larger ransomware outfits, they are provided enhanced safety and privacy than by working on their own - as well as access to some highly sophisticated ransomware tools. What these sanctions and operations against these groups show is that nowhere is safe.

Sources

https://www.whiteblueocean.com/newsroom/the-10-most-notorious-hacking-groups-in-recent-history/
https://www.nationalcrimeagency.gov.uk/who-we-are/publications/732-evil-corp-behind-the-screens/file
https://www.nationalcrimeagency.gov.uk/news/further-evil-corp-cyber-criminals-exposed-one-unmasked-as-lockbit-affiliate
https://www.theregister.com/2024/10/01/nca_names_alleged_evil_corp_kingpin/
https://www.rferl.org/a/in-lavish-wedding-photos-clues-to-an-alleged-russian-cyberthief-fsb-family-ties/30320440.html

https://www.nationalcrimeagency.gov.uk/the-nca-announces-the-disruption-of-lockbit-with-operation-cronos

 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

Ransomware in 2021: a growing global threat
2021-12-14

Ransomware is not a new threat, but in recent years it has grown so exponentially that it has become one of the most prominent global threats, not only in the digital world but in the physical one as well.

Read more
Malicious Browser Extensions
Malicious Browser Extensions
2022-11-18

Browser Extensions can improve the convenience, productivity, and efficiency of browsers; however, they are not always secure as they look and can pose a significant challenge to cybersecurity. As a matter of fact, extensions can be easily downloaded with just one click, typically have full access to the contents of any web page the user loads and can handle sensitive data. This has made extensions a valuable target for threat actors.

Read more
SIAE Data Breach
2021-10-21

News of the latest cyberattack comes from Italy, where on the afternoon of the 20th October it was disclosed that SIAE, the Italian Society of Authors and Publishers, was targeted by a ransomware attack. SIAE, which was founded in 1882, is the Italian copyright collecting agency for artists in different areas of the entertainment industry, including television, music, theatre, visual arts and literature, and aims to guarantee that artists receive the right remuneration for their work.

Read more
Ransomware attack results in the shutdown of the Colonial Pipeline
2021-06-15

The cyberattack that at the beginning of May targeted and caused the shutdown of the Colonial Pipeline, the largest fuel pipeline in the US, was a powerful example of the threat posed by the rising number of ransomware attacks, and the detrimental effect they can have not only on businesses but on national critical infrastructure.

Read more
2023 Cybersecurity Threats and Trends | White Blue Ocean
2023 Cybersecurity Threats and Trends
2023-07-05

is perpetrated. In this article, we will take you through some key points which illustrate the direction that cybercrime is taking. This might help to inform users about the types of attacks we can expect throughout the rest of 2023.

Read more
Intel 471 Issues a Warning on RansomHub
2024-10-10

In September 2024, Intel 471's 'HUNTER', a threat detection platform, issued a widespread warning to their mailing list regarding a surge in attacks led by RansomHub, a Ransomware-as-a-Service (RaaS) operator with an apparent focus on businesses operating in Europe and North America. Discover how they recruit skilled hackers to target different types of business organizations and learn defence tecniques.

Read more
RDoS: adding the Ransom element to DoS | Read White Blue Ocean Blog
RDoS: adding the Ransom element to DoS
2022-05-25

In a continuous effort to find new techniques to extort money from targets, cybercriminals have conceived a new and more aggressive version of the popularised Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. This type of attack, named Ransom Denial of Service (RDoS), first appeared in 2016, but made a comeback in 2020 and 2021, taking advantage of the ever-increasing number of interconnected devices, and of the remote working arrangements caused by Covid-19.

Read more
The dangers of VPN credential leaks | White Blue Ocean
The dangers of VPN credential leaks
2022-07-22

The increased reliance on VPNs made the latter an attractive target to cybercriminals. In particular, threat actors began exploiting one of the known weakest links in the chain: users’ passwords.

Read more
Cyber threat landscape: who is LockBit gang?
2022-11-03

The cyber threat landscape has undergone many shifts in the past year, from the involvement of ransomware cyber gangs in hacktivist activity during the war between Russia and Ukraine, to the disappearance from the scene of the most prolific ransomware groups. These include DarkSide, the hacker group behind the Colonial Pipeline attack, and REvil, One of the groups that has been active since 2019 and continues to grow regardless of the shifts in the cyber threat landscape is the LockBit gang.

Read more
A Brief History of Ransomware | White Blue Ocean
A Brief History of Ransomware
2023-11-10

Ransomware is continuously developing and becoming more and more sophisticated. It isn’t going anywhere anytime soon, but where did it come from? Where did it go? And how has it evolved?

Read more

Contacts

Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!