FacebookTwitterLinkedIn

Law Enforcement Cracks Down On Ransomware

Karolis Liucveikis Written by on

Law enforcement agencies from 12 countries have collaborated to arrest four individuals associated with the LockBit ransomware gang. Along with the arrests' law enforcement officials seized servers critical to the ransomware gang's operations.

Regarding the arrests, a suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate. The Spanish officers seized nine servers, part of the ransomware's infrastructure, and arrested an administrator of a Bulletproof hosting service used by the ransomware group.

Law Enforcement Cracks Down On Ransomware

These actions formed part of the third phase of Operation Cronos, which made international headlines in February 2024, where infrastructure was targeted, and in May 2024, where the gang administrators were targeted in the operations.

As to why LockBit has been in the crosshairs of so many law enforcement agencies, Europol said,  

Between 2021 and 2023, LockBit was the most widely employed ransomware variant globally, with a notable number of victims claimed on its data leak site. LockBit operated on the ransom as a service model. The core group sold access to affiliates and received portions of the collected ransom payments. Entities deploying LockBit ransomware attacks had targeted organisations of various sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing and transportation. Reflecting the considerable number of independent affiliates involved, LockBit ransomware attacks display significant variation in observed tactics, techniques and procedures.

In all three phases of Operation Cronos, Europol has facilitated the information exchange, supported the coordination of the operational activities, and provided operational analytical support, crypto tracing, and forensic support.

The law enforcement agency went on to describe the level of support offered to local law enforcement agencies by saying,

The analysis workflow proposed after the first operation enabled a joint work focused on the identification of the LockBit actors. The advanced demixing capabilities of Europol’s Cybercrime Centre enabled the identification of several targets. Following the initiation operations against LockBit’s infrastructure in the beginning of 2024, Europol organised seven technical sprints, three of which were fully dedicated to cryptocurrency tracing. During the action days, Europol deployed an expert to provide on-the-spot support to the national authorities.

Along with the arrests and seizure of servers, Australia, the United Kingdom, and the United States implemented sanctions against an actor who the National Crime Agency had identified as a prolific affiliate of LockBit and strongly linked to Evil Corp. While Evil Corp had denied any relation to LockBit, one of the individuals sanctioned has close ties to both Evil Corp and LockBit.

New Sanctions Slapped on Evil Corp Affiliates

In the press release issued by the UK Government detailing the newly announced sanctions, 16 individuals were added to a sanctions list.

Those individuals include:

  • Maksim Viktorovich Yakubets
  • Artem Viktorovich Yakubets
  • Viktor Grigoryevich Yakubets
  • Igor Olegovich Turashev
  • Aleksandr Viktorovich Ryzhenkov
  • Sergey Viktorovich Ryzhenkov
  • Eduard Vitalevich Benderskiy
  • Dmitry Konstantinovich Smirnov
  • Dmitriy Alekseyevich Slobodskoy
  • Kirill Alekseyevich Slobodskoy
  • Denis Igorevich Gusev
  • Ivan Dmitriyevich Tuchkov
  • Andrey Vechislavovich Plotnitskiy
  • Aleksey Evgenyevich Shchetinin
  • Beyat Enverovich Ramazanov
  • Vadim Gennadyevich Pogodin

Along with announcing the sanctions, the UK National Crime Agency (NCA), the US Federal Bureau of Investigation (FBI), and the Australian Federal Police released a document detailing who is behind Evil Corp and a summary of operations to date. The document asserts that Evil Corp and LockBit have ties deeper than either party admits.

From 2022 to 2024, the above-mentioned law enforcement agencies assert that some remaining Evil Corp members and affiliates have been involved in deploying other ransomware strains since 2022, including LockBit, continuing to employ SocGholish as an initial access tool.

Maksim Yakubets, one of the group's administrators and key figures, has close ties with Aleksandr Ryzhenkov, believed to be Yakubet's right-hand man. The NCA has determined Ryzhenkov to be a LockBit affiliate.

Further, Ryzhenkov is a person of interest in the Operation Cronos campaign due to his links to LockBit.
A coalescing of several cyber criminals formed Evil Corp's foundation. This experience was put to immediate effect by developing a sophisticated business model. This made them one of the most pervasive and persistent cybercrime adversaries to date.

After being hampered in December 2019 by US sanctions and indictments, the group has been forced to diversify its tactics as it attempts to continue causing harm while adapting to the changing cybercrime ecosystem. This has not gone unnoticed by local and international law enforcement, who seem to be dedicating significant resources to not just hampering Evil Corp, and by extension LockBit's, efforts but preventing them from carrying out further cyberattacks.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog