On October 1st, the US Department of the Treasury’s Office of Foreign Assets Control sanctioned seven individuals for their association with the Evil Corp cybercriminal group. On the same day, the UK’s National Crime Agency (NCA) revealed that one of the sanctioned members of Evil Corp, Aleksandr Ryzhenkov, also operated as an affiliate of LockBit’s Ransomware-as-a-Service (RaaS) organization. During his time within LockBit, Ryzhenkov was responsible for over 60 LockBit builds and attempted to extort over $100 million from victims.
Effects of Operation Chronos
This new information tying Ryzhenkov to LockBit resulted from data obtained during Operation Chronos, the NCA-led international law enforcement operation that initially disrupted LockBit in February of this year. In addition to the sanctions released on October 1st, the NCA released additional information about the effects of Operation Chronos and its disruption to LockBit.
- According to the NCA, LockBit has had limited operational capabilities and a reduced number of attacks since February. Additionally, LockBit lost affiliates to other RaaS groups and has duplicated or fabricated new victims on its data leak site in an effort to inflate the appearance of its victim count.
- Operation Chronos resulted in several international arrests. In August, two individuals were arrested in the UK for suspected connections to LockBit affiliates and money laundering. In the same month, a suspected LockBit developer was arrested in France. Another individual suspected to be one of the main facilitators of LockBit’s infrastructure was also arrested in Spain.
Analyst Comments
While Evil Corp is no stranger to sanctions, the latest wave highlights the continued and targeted efforts of law enforcement toward individuals responsible for large-scale cybercriminal activity. However, while increased sanctions activity evidences the tireless work of law enforcement eliminating or disrupting key players in the cybercrime ecosystem, individuals like Ryzhenkov prove cybercriminals go down swinging- moving to other ransomware groups or starting new ones when their previous ventures fail.
Sources
Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate
Related Resources
![]()
Telegram Changes Privacy Policy
Telegram – the instant messaging platform popular with ransomware groups and cybercriminals because of its user privacy features – recently updated its privacy policy in an effort to discourage criminals from abusing the platform.
Read more![]()
Rhysida Using Oyster Backdoor in Attacks
The Rhysida ransomware group has been using the Oyster backdoor in attacks, leveraging fake websites to trick users into downloading malicious software.
Read more![]()
New Group Emerges with Similarities to ALPHV/BlackCat
Cicada3301, a new RaaS group, emerged in June 2024. Using double extortion, they target Windows and Linux/VMware ESXi systems, posting victims on their dark website. Their methods show strong similarities to ALPHV/BlackCat ransomware.
Read more
