Europol, the UK and the US have all issued press releases in addition to the announcements made on the former LockBit sites. Europol announced new law enforcement actions, including the arrest of an alleged LockBit developer at the request of France while he was vacationing outside of Russia, and the arrests of two individuals in the UK for supporting the activity of a LockBit affiliate.
In Spain, police arrested the alleged administrator of a bulletproof hosting service, which enabled authorities to seize nine servers that were part of LockBit infrastructure. The suspect, authorities say, “was one of the main facilitators of infrastructure for LockBit”, and the information they obtained will be useful for prosecuting core members and affiliates of the cybercrime enterprise.
The most important announcement, however, is related to the unmasking of a Russian national, Aleksandr Viktorovich Ryzhenkov, 31, who authorities say is not only a LockBit affiliate, but also a member of Evil Corp, the infamous profit-driven cybercrime organization that may have also run cyberespionage operations on behalf of the Russian government.
“Ryzhenkov used the affiliate name Beverley, made over 60 LockBit ransomware builds and sought to extort at least $100 million from victims in ransom demands. Ryzhenkov additionally has been linked to the alias mx1r and associated with UNC2165 (an evolution of Evil Corp affiliated actors),” authorities said.
The US Justice Department on Tuesday announced charges against Ryzhenkov, but not for LockBit attacks. Instead, he has been charged over BitPaymer ransomware attacks.
Ryzhenkov is one of the 16 alleged Evil Corp members that were sanctioned on Tuesday by the US, UK, and Australia. The sanctions also target Maksim Yakubets, who is said to be the leader of Evil Corp and who has a $5 million bounty on his head. Authorities say Ryzhenkov is Yakubets’ right-hand man.
According to government agencies, the LockBit operation hit over 2,500 entities across more than 120 countries.