UK's NCA sanctions members of the 'Evil Corp' gang

An abstract image showing a skull over a pixelated background to symbolise a cyber security vulnerability
(Image credit: Shutterstock)

The UK's National Crime Agency (NCA) says it's identified 16 people behind the Evil Corp cybercrime group, and has found links to the Russian state and other prolific ransomware groups, including LockBit.

Five years ago, the head of Evil Corp, Maksim Yakubets, and one of the group's administrators, Igor Turashev, were indicted in the US and sanctioned, along with several other members of the group.

The NCA has now moved to sanction the pair itself, along with seven others sanctioned by the US in 2019, and seven new people who hadn't previously been identified.

These include Aleksandr Ryzhenkov – described by the NCA as Yakubets' right-hand man – with data obtained from the group's own systems showing that he has been involved in LockBit ransomware attacks against numerous organizations. Also sanctioned in the UK are Yakubets' father, Viktor Yakubets, his father-in-law, Eduard Benderskiy, a former high-ranking FSB official, and others.

"These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity," said James Babbage, director general for threats at the NCA.

"Since we supported US action against Evil Corp in 2019, members have amended their tactics and the harms attributed to the group have reduced significantly. We expect these new designations to also disrupt their ongoing criminal activity."

Evil Corp first appeared in 2014, developing and distributing BitPaymer and Dridex, which they used to target banks and financial institutions in over 40 countries, netting over $100 million – with some members thought to have links to the Russian state.

"I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal. Putin has built a corrupt mafia state with himself at its center. We must combat this at every turn, and today's action is just the beginning," said UK Foreign Secretary David Lammy.

"Today's sanctions send a clear message to the Kremlin that we will not tolerate Russian cyber-attacks – whether from the state itself or from its cyber-criminal ecosystem."

RELATED WEBINAR

Meanwhile, a suspected developer of LockBit has been arrested at the request of the French authorities, while Spanish officers have seized nine servers, part of the ransomware's infrastructure, and arrested an administrator of a Bulletproof hosting service used by the ransomware group.

LockBit was the most widely employed ransomware variant globally between 2021 and 2023, operating on ransomware as a service model and targeting critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.

"While Evil Corp has been relatively quiet since the 2019 US sanctions, today's news illustrates how these groups find workarounds, splinter and regroup and iterate on their tactics to continue to generate revenue," commented Sean M. McNee, head of threat intelligence at software firm DomainTools.

"While it feels like a game of whack-a-mole to try to identify all members involved, DNS and domain intelligence can be powerful tools in fighting against cybercrime groups like Evil Corp. Tracking domains and finding relationships among them allows threat hunters to uncover patterns, making new movements easier and quicker to identify."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.