Worldwide regulation enforcement has labored for years to disrupt the cybercriminal gang Evil Corp and its egregious international crime spree. However in a crowded area of prolific Russian cybercriminals, Evil Corp is most notable for its singular relationship with Russian intelligence.
On Tuesday, the UK’s Nationwide Crime Company launched new particulars in regards to the real-world identities of alleged Evil Corp members, the group’s connection to the LockBit platform, and the gang’s ties to the Russian state. Researchers have more and more established that there are free, quid professional quo connections between Russian cybercriminals and the nation’s authorities. However NCA officers emphasize that Evil Corp is an uncommon instance of a gang that has direct relationships with a number of Russian intelligence businesses—together with Russia’s Federal Safety Service, or FSB; International Intelligence Service, or SVR; and army intelligence company often called the GRU. And the NCA stories that earlier than 2019, Evil Corp was particularly “tasked” by Russia’s intelligence providers with conducting espionage operations and cyberattacks towards unidentified “NATO allies.”
For greater than a decade, Evil Corp has used its Dridex malware and different hacking instruments to compromise 1000’s of financial institution accounts all over the world and steal funds. In 2017, the group expanded into ransomware, utilizing strains like Hades and PhoenixLocker, after which utilizing the LockBit platform as an affiliate starting in 2022. The group has extorted at the very least $300 million from victims on tops of its different spoils, and the USA Division of State is providing a $5 million reward for data resulting in the arrest of the gang’s alleged chief, Maksim Yakubets.
“Evil Corp’s story is a chief instance of the evolving menace posed by cybercriminals and ransomware operators,” the NCA wrote on Tuesday in a joint report with the FBI and Australian Federal Police. “Of their case, the actions of the Russian state performed a very vital position, generally even co-opting this cybercrime group for its personal malicious cyber exercise.”
Not like many Russian cybercrime teams which have advanced a distributed management construction on-line, NCA officers say that Evil Corp is organized like a extra conventional crime syndicate round Yakubets’ household and buddies. His father, Viktor Yakubets, allegedly has a background in cash laundering, and Maksim’s brother Artem, together with cousins Kirill and Dmitry Slobodskoy, are all allegedly concerned with the group. Officers additionally allege that the group has operated out of bodily areas, together with Chianti Café and Situation Café in Moscow.
Officers say that Maksim Yakubets has at all times been the first liaison between Evil Corp and Russian intelligence. However different members, together with his father-in-law, Eduard Benderskiy, additionally allegedly contribute to the relationships. Benderskiy is reportedly a former FSB official who labored within the mysterious ‘Vympel’ unit and, in response to Bellingcat, might have been concerned in a sequence of abroad assassinations. NCA officers say that after the US’s 2019 sanctions and indictments towards Evil Corp members, Benderskiy labored to guard the gang’s senior members inside Russia.
Regardless of its longtime dominance, Evil Corp has needed to proceed evolving to maintain getting cash. Whereas it denies a relationship, the group appeared to have used the infamous ransomware-as-a-service platform LockBit to conduct assaults since 2022. And Yakubets’ alleged second in command, whom NCA officers named on Tuesday as Aleksandr Ryzhenkov, was apparently overseeing this work. After worldwide regulation enforcement launched a main disruption of LockBit in February, the gang has been working in a diminished capability, in response to the NCA.
“Born out of a coalescing of elite cybercriminals, Evil Corp’s refined enterprise mannequin made them one of the pervasive and chronic cybercrime adversaries to this point,” the NCA wrote. “After being hampered by the December 2019 sanctions and indictments, the group have been pressured to diversify their techniques as they try and proceed inflicting hurt while adapting to the altering cybercrime ecosystem.”
