US, Australia and the UK Take Action Against Ransomware Group Evil Corp

Today, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned seven individuals and two entities associated with the Russian cybercriminal group Evil Corp as part of a coordinated action with the United Kingdom’s Foreign, Commonwealth & Development Office (FCDO) and Australia’s Department of Foreign Affairs and Trade (DFAT). Evil Corp, led by Maksim Viktorovich Yakubets, has a long history of cybercrime, dating back to 2009, when they first developed Dridex malware, used to steal banking credentials and commit financial fraud. Their operations have impacted over 40 countries, causing over $100 million in financial losses, primarily affecting banks, healthcare, and critical infrastructure sectors. 

The United Kingdom designated 16 and Australia designated three Evil Corp members and affiliates.

One of the individuals sanctioned by OFAC was LockBit Ransomware affiliate Aleksandr Viktorovich Ryzhenkov, also known by the moniker “Beverley,” for his involvement, alongside Evil Corp founder Maksim Viktorovich Yakubets, in the group’s operations. 

In addition to sanctions, the U.S. Department of Justice unsealed an indictment against Ryzhenkov, a Russian national, for his involvement in deploying BitPaymer ransomware to attack multiple victims in Texas and across the U.S. Beginning in June 2017, Ryzhenkov allegedly gained unauthorized access to victims' networks, encrypted their data using ransomware, and demanded large ransoms to restore access and prevent the public release of sensitive information.

The indictment details how Ryzhenkov and his co-conspirators used phishing, malware, and system vulnerabilities to extort millions of dollars from U.S. businesses.

The US Federal Bureau of Investigation, the UK’s National Crime Agency, and the Australian Federal Police also released a detailed report entitled Evil Corp: Behind the Scenes, which dives into the groups tactics, history, organizational hierarchy and close links to the Russian state. 

Today’s actions coincide with the second day of the U.S.-hosted Counter Ransomware Initiative summit which involves over 50 countries working together to counter the threat of ransomware. TRM Labs is honored to have participated in the summit.

Evil Corp, also known as Indrik Spider, was founded by Yakubets, who operates under the alias ‘Aqua’ and is currently one of the most wanted cybercriminals, with a $5 million bounty on his head. The group, organized like a traditional crime family, includes several members of Yakubets’ family, such as his father, Viktor Yakubets, and other associates like Aleksandr Viktorovich Ryzhenkov, his second-in-command. They employed highly professional tactics, including the use of money mule networks, cryptocurrency trading, and front companies, to launder proceeds from their cyber activities. At their height, Evil Corp operated out of physical locations in Moscow and maintained close-knit social and business relationships, underscoring their tight operational structure. Evil Corp and Yakubets were both sanctioned by OFAC in 2019.

Evil Corp’s Evolution and Operations

Evil Corp’s history can be traced back to its early days as part of The Business Club, a cybercrime group specializing in bank fraud. From 2009, Yakubets collaborated with other notorious cybercriminals, including Evgeniy Bogachev, to deploy malware like Jabber Zeus and GameOverZeus. In 2014, Evil Corp fully transitioned into an organized crime group (OCG) with the introduction of Dridex, which became one of the most prolific malware strains ever developed. Evil Corp also introduced ransomware into their portfolio, starting with BitPaymer in 2017.

By 2019, U.S. and U.K. law enforcement disrupted Evil Corp’s operations through sanctions and indictments, forcing the group to adapt its tactics. Following this disruption, the group split, with one faction, led by Igor Turashev, developing DoppelPaymer ransomware. The remaining members under Yakubets developed new ransomware strains like WastedLocker, Hades, and Phoenix Locker, demonstrating the group’s adaptability.

The Crypto Nexus

TRM’s analysis of on-chain activity provides additional insights into the financial activity of ransomware groups. Historically, ransomware groups have used Bitcoin as the primary cryptocurrency used to facilitate ransom payments. But groups also look to privacy-enhanced payment options such as ZCash or Monero for both collecting from victims and paying its affiliates.

On-chain analysis of ransomware activity highlights the typical ransomware operating structures, where victims’ initial ransom payments undergo a financial split: 80% often goes to the affiliate, and 20% goes to the ransomware group's administrators. Ransomware groups often use mixers, and multiple non-custodial exchanges and centralized VASPs in the United States and Asia to launder victim funds.

According to TRM Labs, Ryzhenjov’s cryptocurrency address had significant exposure to criminal groups, such as well known ransomware actors that cashed out at both compliant virtual asset service providers and sanctioned entities such as Cryptex.net.

‍Links to the Russian State

Evil Corp’s relationship with the Russian intelligence services has been extensive. While most cybercriminal groups operate independently, Yakubets' group reportedly worked directly with the FSB, SVR, and GRU to conduct espionage and cyberattacks against NATO allies. Eduard Benderskiy, a former high-ranking official in the FSB’s secretive Vympel unit, facilitated these relationships, ensuring Evil Corp’s protection and assistance from the Russian state. This privileged position allowed Evil Corp to continue its operations with little interference from Russian authorities.

Sanctions Implications

The October 2024 sanctions, along with concurrent designations by the U.K. and Australia, are part of a broader international effort to combat ransomware and cybercrime. As a result of these sanctions, the assets of the designated individuals and entities are frozen, and U.S. persons are prohibited from conducting transactions with them. Financial institutions and other businesses engaging with these individuals risk penalties and enforcement actions. Today’s Counter Ransomware Initiative summit, involving over 50 countries, further reinforces global collaboration to dismantle cybercriminal networks like Evil Corp.

Conclusion

Evil Corp’s story exemplifies the evolving threat posed by cybercriminal organizations with state ties. Over more than a decade, the group has adapted to law enforcement actions, developing new malware and ransomware to continue its operations. However, sanctions and continuous pressure from international law enforcement have hampered their ability to operate. In 2024, the coordinated actions of the US, UK, and Australia show that Evil Corp’s attempts to evade scrutiny will not go unchallenged, as governments remain committed to disrupting their operations and protecting critical infrastructure from ransomware and cyber threats.

‍