Euro Security Watch with Mathew J. Schwartz

Cybercrime , Fraud Management & Cybercrime

Cybercrime Is Still Evil Incorporated, But Disruptions Help

Naming and Sanctioning Cybercrime Syndicate Members Has Repercussions, Police Say
Cybercrime Is Still Evil Incorporated, But Disruptions Help
Evil Corp's $100 million in Dridex malware profits allegedly helped leader Maksim Yukabets enjoy a flamboyant lifestyle, featuring in part his Lamborghini. (Source: U.K. National Crime Agency)

Western law enforcement may not be able to arrest cybercrime suspects who hide out in Russia, but efforts to disrupt criminals' operations do appear to be having an impact.

See Also: Live Webinar | C-SCRM: CIS Benchmarking & Impending Regulation Changes

Law enforcement agencies on Tuesday revealed a flurry of new arrests, sanctions and infrastructure disruptions tied to the LockBit ransomware operation as well as venerable Evil Corp cybercrime syndicate (see: LockBit and Evil Corp Targeted in Anti-Ransomware Crackdown).

Criminals often seem to revel in their online anonymity. Increasingly, cops have been successfully unmasking them. The message is clear: "We know who you are, and we'll be waiting if you ever try to leave Russia."

"The internet provides a certain amount of anonymity which makes it seem like criminals such as these will not be brought to justice," said Sean M. McNee, head of threat intelligence at DomainTools. "They may seem elusive, but they make mistakes. Those mistakes allow us to track their movements and shine a light on their operations."

Case in point is the August arrest of a suspected LockBit affiliate at the request of French authorities. Officials haven't named the suspect or country where they're being detained, but are seeking their extradition.

This doesn't mean the individual may spend the rest of their life behind bars, but they run that risk, especially if the United States also files charges. True, four other previously high-flying cybercriminals recently returned to Russia as part of a prisoner-swap deal. How many future ones will be so lucky?

The U.S. on Tuesday also named and indicted Aleksandr Ryzhenkov, allegedly Evil Corp's second in command. Britain's National Crime Agency said information it obtained after infiltrating LockBit's infrastructure in February revealed that Ryzhenkov was one of the group's affiliates, using its ransomware to infect up to 60 victims, from which he demanded a total of $100 million in ransom payments.

Ryzhenkov's work with LockBit may have been prompted by the U.S. naming and indicting multiple Evil Corp members in December 2019, after which "their success and influence in the cybercrime ecosystem have dwindled," says a report from the NCA, which gives a shout-out to "CrowdStrike, Intel471 and Qintel for their support."

Until the sanctions, Evil Corp operated BitPaymer ransomware, based in part on its long-running Dridex banking Trojan. Once the U.S. sanctioned the group, paying any ransom to it became illegal.

"As a result, the group have been forced to scrap their modus operandi, and attempt new tactics to evade the additional scrutiny and restrictions put on them," the NCA said.

Russia initially assisted the U.S. in 2019, providing information about some of the suspects, although authorities said the flow of information suddenly stopped.

Information published by law enforcement agencies this week helps explain why. British police said the father-in-law of Evil Corp leader Maksim Yakubets, aka Aqua, is Eduard Benderskiy, a former high-ranking official in Russia's principal security agency, the Federal Security Service or FSB, who introduced the group's members to the intelligence services.

"Benderskiy was a key enabler of their relationship with the Russian intelligence services who, prior to 2019, tasked Evil Corp to conduct cyberattacks and espionage operations against NATO allies," the NCA said Tuesday (see: Evil Corp Protected by Ex-Senior FSB Official, Police Say).

Those attacks helped prompt Western sanctions. In response, "Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities," it said.

Was relying on Yakubets' father-in-law to run cover with Moscow, as it faced high-profile diplomatic demands from the U.S., a comfortable place for Evil Corp's members? One of the sanctioned individuals, Igor Turashev, had a falling out in mid-2019 with Yakubets, which the December 2019 U.S. disruption exacerbated, ending in an "acrimonious split" between the two men, the NCA said.

Turashev has been wanted by German law enforcement since 2023 for his alleged involvement in running DoppelPaymer ransomware, which first appeared in mid-2019, and began to get used in double extortion attacks in early 2020, before rebranding under the name Grief in 2021.

After Turashev left, "the remaining Evil Corp group, led by Yakubets and Ryzhenkov, began developing a new ransomware that would eventually become WastedLocker," the NCA said (see: Evil Corp's 'WastedLocker' Campaign Demands Big Ransoms).

German police in February 2023 arrested two "suspected core members" of DoppelPaymer, including a German national. U.S. victims paid the group at least $44 million from May 2019 to March 2021, officials said.

As those profits highlights, disruptions only seem to go so far. Even so, Yelisey Bohuslavskiy, chief research officer at New York-based threat intelligence firm Red Sense, has detailed the psychological impact such disruptions have on ransomware practitioners and crime group dynamics. "People get tired. They get exhausted psychologically and physically," he said.

Law enforcement so far hasn't shut down Evil Corp, whose members have been part of the cybercrime firmament for nearly two decades. But forcing them to innovate - or retire - is no small victory, not least because innovation takes time and energy, both of which remain finite and appear to lead to diminished operating capabilities.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.