Four LockBit members arrested, major affiliated ousted in latest Operation Cronos activity

Yesterday, global law enforcement, led by the UK National Crime Agency (NCA), the Federal Bureau of Investigation (FBI) and Europol, resurrected the LockBit site it seized and took down back in February and teased new arrests and other announcements with countdown timers.

🚨 LockBit power cut🔌✂️
Four new arrests and financial sanctions against affiliates

More in our press release ➡️ https://t.co/ZzT9rpAhd1 pic.twitter.com/L6AtMYQLXg

============

============

— Europol (@Europol) October 1, 2024

Now, law enforcement has announced that four arrests were made, with a major gang developer arrested on the request of French authorities, two suspected affiliates by the NCA and an admin of the hosting service LockBit used, Bulletproof by the Spanish Guardia Civil.

“Once again, we thank Dmitry Khoroshev a.k.a LockBitSupp for allowing us to compromise his platform and discover all this juicy data (it’s keeping our teams busy!),” said the NCA.

As a result of the latter arrest, the Guardia Civil also seized “nine relevant servers of LockBit infrastructure,” which it says will lead to further action.

“Relevant information to prosecute core members and affiliates of the ransomware group was obtained and is currently being analysed,” said the Spanish agency.

VIEW ALL

Arguably most notably, the NCA revealed the identity of a major LockBit affiliate associated with major cybercrime network Evil Corp.

“Aleksandr Ryzhenkov DOB 26/05/1993 has been unmasked by the NCA as the specific member of Evil Corp who is a LockBit affiliate,” said the FBI.

“Ryzhenkov used the affiliate name Beverley, made over 60 LockBit ransomware builds and sought to extort at least $100 million from victims in ransom demands. Ryzhenkov additionally has been linked to the alias mx1r and associated with UNC2165 (an evolution of Evil Corp affiliated actors).”

In May we revealed LockBitsUpp, leader of the LockBit ransomware group, as Dmitry Khoroshev. Today, we can also identify one of his affiliates (known as Beverley) as Aleksandr Ryzhenkov, Russian national and key member of cyber criminal group, Evil Corp. pic.twitter.com/SW524RhtiR

— National Crime Agency (NCA) (@NCA_UK) October 1, 2024

Ryzhenkov is also believed to be the right-hand-man of Maksim Yakubets, Evil Corps founder leader, better known as Aqua. Yakubets currently has a $5 million bounty for his arrest.

For their involvement in the cyber gang, sixteen Evil Corp members, including Rhyzenkov, have had sanctions imposed on them by the UK. The US imposed seven and Australia imposed three, with both countries placing sanctions on Ryzhenkov.

Additionally, the US Justice Department (US DoJ) imposed a sanction on Ryzhenkov for “using the BitPaymer ransomware variant to attack numerous victims in Texas and throughout the United States and hold their sensitive data for ransom.”

BitPaymer is a ransomware variant used by Ryzhenkov and other threat actors to encrypt files on accessed devices.

Having tracked Evil Corp since 2010, major cyber security firm CrowdStrike said it worked with global law enforcement and provided critical threat intelligence and analysis “in support” of the latest announcements.

“CrowdStrike Counter Adversary Operations has tracked INDRIK SPIDER (aka Evil Corp) since 2010. Throughout its tenure, the adversary has developed the Dridex banking trojan and several ransomware variants, including BitPaymer and WastedLocker.”

According to the US DoJ, Ryzhenkov would gain unauthorised access to victim devices before deploying BitPaymer. He would then leave a digital ransomware note which contained a ransom demand as well as instructions on how to contact the threat group and pay the ransom.

“The Justice Department is using all the tools at its disposal to attack the ransomware threat from every angle,” said Deputy Attorney General Lisa Monaco.

“Today’s charges against Ryzhenkov detail how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransom.

“With law enforcement partners here and around the world, we will continue to put victims first and show these criminals that, in the end, they will be the ones paying for their crimes.”

LockBit’s reactivated seized leak site will once again be taken down by law enforcement in under a week.

The latest activity was achieved thanks to collaboration between law enforcement agencies from Australia, the US, the UK, Canada, France, Germany, Spain, Sweden, Japan, Switzerland, Romania and the Netherlands, alongside the European Union Agency for Criminal Justice Cooperation (Eurojust).

LockBit’s dark web leak site was first seized in February this year, with law enforcement taking over the groups administration environment, arresting two individuals and indicting five others.

Like the latest activity, Operation Cronos agencies announced this activity on LockBit’s own site.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.