Sixteen members of Evil Corp, once considered the world’s most significant cybercrime threat, have been sanctioned in the UK, with their links to the Russian state and other prominent ransomware groups, including LockBit, revealed. The action comes as part of a coordinated effort between the UK, Australia, and the United States, with the US also unsealing an indictment against a key member of the group.
The National Crime Agency (NCA) led an extensive investigation into Evil Corp, tracing its evolution from a small financial crime family in Moscow into an expansive cybercrime syndicate responsible for extorting at least $300 million from victims worldwide, including those in healthcare, critical infrastructure, and government sectors.
In 2019, the NCA’s investigation contributed to the indictment of Evil Corp’s leader, Maksim Yakubets, and group administrator, Igor Turashev, in the United States, resulting in sanctions against several members. Yesterday, Yakubets, Turashev, and seven others previously sanctioned in the US were also designated by the UK’s Foreign, Commonwealth and Development Office, along with seven additional members whose roles and connections had not been publicly known until now.
Among those newly sanctioned is Aleksandr Ryzhenkov, Yakubets’ right-hand man, who played a major role in developing some of Evil Corp’s most notorious ransomware strains. As part of Operation Cronos, an NCA-led international effort, Ryzhenkov was identified as a LockBit affiliate involved in ransomware attacks on numerous organisations. Separately, the US Department of Justice has unsealed an indictment against Ryzhenkov for using BitPaymer ransomware against US victims.
Other individuals sanctioned include Yakubets’ father, Viktor Yakubets, and father-in-law, Eduard Benderskiy, a former high-ranking FSB official. Benderskiy was instrumental in Evil Corp’s relationship with Russian Intelligence Services, facilitating cyberattacks and espionage against NATO allies before the group was first sanctioned in 2019.
The Evolution and Disruption of Evil Corp
Evil Corp officially formed as a crime group in 2014, targeting banks and financial institutions in over 40 countries, stealing over $100 million using tools like BitPaymer and Dridex. The group enjoyed privileged status, with connections to the Russian state, and Benderskiy used his influence to protect members after the US sanctions and indictments in 2019.
However, these actions significantly disrupted Evil Corp’s operations, damaging their brand and making it difficult to elicit ransom payments. Members were forced to change tactics, go underground, and adapt to avoid law enforcement detection. The group developed new malware strains, including WastedLocker, Hades, PhoenixLocker, PayloadBIN, and Macaw, and shifted their focus to high-value targets. Some members, like Ryzhenkov, moved away from developing their own tools, instead using ransomware developed by other groups, such as LockBit.
The NCA is continuing to monitor illicit activity linked to former members of Evil Corp, including their involvement in ransomware attacks. The international investigation into LockBit remains ongoing, with recent action detailed on the group’s original leak site, which is under the control of the NCA. The Cronos Taskforce arrested two individuals in August for their suspected involvement with LockBit, on suspicion of Computer Misuse Act and money laundering offences. French and Spanish authorities also made arrests, including a suspected LockBit developer and a facilitator of the group’s infrastructure.
Government and Agency Responses
James Babbage, Director General for Threats at the NCA, said, “The action announced yesterday has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time. These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity. We expect these new designations to also disrupt their ongoing criminal activity.”
Foreign Secretary David Lammy emphasised the importance of these sanctions as part of a wider strategy against the Russian state. I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal. Yesterday’s sanctions send a clear message to the Kremlin that we will not tolerate Russian cyberattacks – whether from the state itself or from its cyber-criminal ecosystem.
Security Minister Dan Jarvis also highlighted the significance of the action, stating, “Cyber-crime causes immense damage to people and businesses across the world but yesterday’s action is evidence that there are serious consequences for those involved.”
Jonathon Ellison, Director for National Resilience and Future Technology at the National Cyber Security Centre (NCSC), added, “Every day we see ransomware incidents have real-world consequences for UK victims, disrupting key services, damaging businesses’ finances, and putting individuals’ data at risk. I welcome yesterday’s sanctions against Evil Corp-affiliated cyber actors, who have caused harm in the UK and beyond, and strongly support the coordinated steps taken with allies to ensure cybercrime does not pay.”
Protecting Against Ransomware
The NCSC is urging organisations to follow its ransomware guidance to help reduce the chances of falling victim to an attack and to ensure that response plans are in place. The coordinated action across the UK, US, and other international partners is a demonstration of the determination to hold cybercriminals accountable and disrupt their operations, making it increasingly difficult for them to profit from malicious activities.
The new sanctions and ongoing investigations send a clear signal that cybercriminals, no matter how sophisticated or well-connected, will be pursued and held accountable for their actions.
