Evil Corp

OFAC, the UK Foreign, Commonwealth & Development Office and Australia's Department of Foreign Affairs and Trade jointly sanctioned seven more individuals and two entities tied to Evil Corp. Treasury named Eduard Benderskiy — a former FSB Vympel officer and Yakubets' father-in-law — as the broker who shielded the group from Russian internal authorities after the 2019 designations. The action coincided with Operation Cronos revelations linking Evil Corp deputy Aleksandr Ryzhenkov to LockBit affiliate activity.

The UK National Crime Agency announced that data recovered during Operation Cronos identified Aleksandr Ryzhenkov, Maksim Yakubets' deputy, as a prolific LockBit affiliate responsible for attacks against at least 60 organizations since 2022. The NCA framed the move as evidence that 2019 sanctions had forced Evil Corp to abandon proprietary ransomware brands — WastedLocker, Hades, PhoenixLocker, PayloadBIN, Macaw — in favour of operating under established ransomware-as-a-service programmes.

BleepingComputer confirmed that the 23 July 2020 outage of Garmin Connect, flyGarmin, inReach and related services was caused by a WastedLocker ransomware infection attributed to Evil Corp. Encrypted files carried a '.garminwasted' extension and the operator-issued ransom notes reportedly demanded $10 million. The incident illustrated Evil Corp's post-sanctions pivot from Dridex banking fraud to big-game ransomware.

Symantec's Threat Hunter Team disclosed a wave of WastedLocker ransomware attacks attributed to Evil Corp targeting at least 31 US organizations, including eight Fortune 500 companies across manufacturing, IT and media. The intrusion chain began with the SocGholish JavaScript framework delivered through compromised legitimate websites, followed by Cobalt Strike for lateral movement and culminating in WastedLocker deployment.

The US Treasury's Office of Foreign Assets Control (OFAC) designated Evil Corp together with 17 individuals and seven entities, including alleged leader Maksim Viktorovich Yakubets and administrator Igor Turashev. Treasury attributed the Dridex banking-trojan operation to the group and stated it had caused more than $100 million in theft from financial institutions in over 40 countries. The action was coordinated with the United Kingdom and Australia.

A federal grand jury in the Western District of Pennsylvania returned a 10-count indictment charging Maksim Yakubets and Igor Turashev with conspiracy, computer hacking, wire fraud and bank fraud tied to the Bugat / Dridex / Kridex malware family. Yakubets, alias 'aqua', was identified as the leader of Evil Corp; the State Department concurrently announced a $5 million Transnational Organized Crime Rewards Program bounty for information leading to his arrest or conviction — the largest such reward for a cybercriminal to that date.