Four Individuals Connected to LockBit Ransomware Attacks Arrested; Evil Corp Members Sanctioned
An international law enforcement operation has resulted in the arrests of four individuals suspected of involvement in LockBit ransomware attacks and the takedown of nine servers linked to LockBit ransomware operations.
Operation Cronos
The latest actions are part of phase three of Operation Cronos, an international law enforcement operation led by the UK’s National Crime Agency (NCA) that successfully took down the online infrastructure of the LockBit ransomware operation in February this year. The February operation caused significant disruption to the group’s operations, and while the group claimed to have restored its infrastructure within a week, it was clear that Operation Chronos caused significant disruption that lasted longer than the group was willing to acknowledge. The NCA obtained around 7,000 decryption keys, which allowed victims to recover their data.
The operation uncovered the leader of the group, Russian national Dmitry Khoroshev aka LockBitSupp, who has since been sanctioned by the Foreign, Commonwealth & Development Office (FCDO), US Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the Australian Department of Foreign Affairs. Dmitry Khoroshev, along with suspected LockBit members Artur Sungatov and Ivan Kondratyev, have been indicted for their involvement in LockBit attacks and there have been multiple arrests. Two suspected members of the group pleaded guilty to their involvement with LockBit in July 2024.
Law enforcement collected a significant amount of data in the operation, allowing the identification of some of the group’s members and affiliates. The operation also confirmed that despite the group’s claims that stolen data is deleted when the ransom is paid, that is not the case. In February, the Department of Justice and the NCA said the group is believed to have extorted as much as $1 billion in at least 7,000 ransomware attacks between June 2022 and February 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Four More Individuals Arrested
The latest phase of Operation Cronos involved law enforcement agencies in 12 countries, supported by Eurojust and Europol. Four more individuals have been arrested for their involvement in the LockBit operation, including a suspected developer who left Russia to go on holiday and was arrested at the request of French authorities under an extradition treaty France had with the country. Two individuals were arrested in the United Kingdom, one of whom is suspected of being a LockBit affiliate and the other has been arrested for alleged money laundering activities for the group. The identities of the two individuals were uncovered after analyzing data obtained in the February seizure of LockBit’s infrastructure.
“I am making it my personal mission to target the Kremlin with the full arsenal of sanctions at our disposal,” said UK Foreign Secretary David Lammy. “Putin has built a corrupt mafia state with himself at its centre. We must combat this at every turn, and today’s action is just the beginning. “Today’s sanctions send a clear message to the Kremlin that we will not tolerate Russian cyber-attacks – whether from the state itself or from its cyber-criminal ecosystem.”
The administrator of a bulletproof hosting service used by LockBit was arrested by Spanish law enforcement at Madrid airport, and Spanish authorities seized nine servers used by the group. Sanctions have been announced by the United States, United Kingdom, and Australia against an individual suspected of being a highly active affiliate of the group for his role in attacks and money laundering activities. That individual is Russian national Aleksandr Ryzhenkov, 31, a known associate of the head of the notorious Evil Corp cybercrime group.
The United Kingdom, United States, and Australia have separately sanctioned 16 members of the Evil Corp cybercrime gang, a group believed to have stolen around $300 million over the past decade. Evil Corp is known to have engaged in ransomware activity, having conducted many attacks using BitPaymer ransomware but this is the first time that Evil Corp has been linked to the LockBit operation. The LockBit group has previously stated that it does not work with Evil Corp.
Aleksandr Ryzhenkov is believed to be a high-ranking member of LockBit and is alleged to have created more than 60 versions of LockBit ransomware and conducted many attacks, demanding more than $100 million in ransoms. Aleksandr Ryzhenkov was indicted in the United States for his Evil Corp activities, including conducting Bitpaymer ransomware attacks on numerous victims in Texas and throughout the United States.
“The Justice Department is using all the tools at its disposal to attack the ransomware threat from every angle,” said Deputy Attorney General Lisa Monaco. “Today’s charges against Ryzhenkov detail how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransom. With law enforcement partners here and around the world, we will continue to put victims first and show these criminals that, in the end, they will be the ones paying for their crimes.”
Evil Corp Structure and Known Members. Source: U.S. Department of the Treasury.
