Four alleged LockBit members arrested in international effort

NCA exposes Russia-linked hacker as LockBit affiliate

Law enforcement agencies from 12 countries have arrested four individuals linked to the notorious LockBit ransomware gang.

Europol disclosed on Tuesday that French authorities apprehended a suspected LockBit ransomware developer, while British authorities arrested two individuals believed to be supporting LockBit affiliates.

Additionally, Spanish law enforcement arrested an alleged administrator of LockBit's bulletproof hosting service.

The arrests are part of the third phase of Operation Cronos, a joint task force led by the UK's National Crime Agency (NCA) that has been targeting LockBit since April 2022. The operation has resulted in significant disruptions to the ransomware gang's infrastructure and the arrest of several key members.

"These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months," Europol said.

Evil Corp connection

In addition to the latest arrests, law enforcement agencies have also seized LockBit infrastructure servers. The UK, US and Australia have sanctioned 15 Russian nationals involved in Evil Corp, a cybercrime group closely linked to LockBit.

On Tuesday, the NCA exposed a high-ranking member of the Evil Corp gang as a key affiliate of the LockBit ransomware group.

The NCA identified Russian national Aleksandr Viktorovich Ryzhenkov as a "second in command" at Evil Corp, closely linked to the gang's founder and leader, Maksim Yakubets.

The NCA's findings reveal a deep connection between the two groups, with Ryzhenkov acting as a bridge between them.

Ryzhenkov, who has targeted at least 60 victims as a LockBit affiliate, has been sanctioned by the US and UK governments for his alleged role in cybercrimes.

The NCA has also identified other key members of Evil Corp, including Maksim Yakubets' father and father-in-law, as well as a former high-ranking Russian intelligence official.

On Tuesday, the US Department of Justice (DoJ) unsealed an indictment charging Ryzhenkov with launching a series of ransomware attacks across the United States.

Ryzhenkov is accused of deploying the BitPaymer ransomware variant to infiltrate victims' computer networks, steal sensitive data, and then hold it hostage for ransom payments.

The indictment alleges that Ryzhenkov's activities began in June 2017 and targeted numerous victims in Texas and beyond. His tactics allegedly involved a combination of phishing campaigns, malware deployment, and exploiting software vulnerabilities to gain unauthorised access to victims' systems.

Once inside the systems, Ryzhenkov and his co-conspirators used BitPaymer to encrypt the stolen data, rendering it inaccessible to the victims. They then left a ransom note demanding payment in exchange for a decryption key and the promise of not leaking the stolen data.

Ryzhenkov's current whereabouts remain unknown, although the FBI believes he is residing in Russia.

The DoJ says it has taken steps to disrupt his operations by adding him to the Treasury Department's Office of Foreign Assets Control (OFAC) sanctions list. This designation freezes any assets Ryzhenkov may hold in the US and prohibits US financial institutions from engaging in transactions with him.

"The Justice Department is using all the tools at its disposal to attack the ransomware threat from every angle," said Deputy Attorney General Lisa Monaco.

"Today's charges against Ryzhenkov detail how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransom. With law enforcement partners here and around the world, we will continue to put victims first and show these criminals that, in the end, they will be the ones paying for their crimes," Monaco added.