NCA's major crackdown on INDRIK SPIDER & Evil Corp
Authorities have announced a significant breakthrough in the fight against international cybercrime, following the indictment of Aleksandr Ryzhenkov, a senior member of the cybercriminal group INDRIK SPIDER, also known as Evil Corp. Ryzhenkov is also affiliated with BITWISE SPIDER's LockBit Ransomware-as-a-Service (RaaS) operation.
The announcement was made by a coalition led by the UK's National Crime Agency (NCA).
The NCA, along with CrowdStrike, has been tracking INDRIK SPIDER for several years, noting the group's financial motivations and suspected connections to the Russian government. INDRIK SPIDER has been active in cyber operations targeting NATO countries, reinforcing concerns about Russia's use of cybercriminals for state-sponsored operations.
The coalition has also imposed new sanctions on key members of INDRIK SPIDER, including Eduard Benderskiy, a former officer in Russia's Federal Security Service (FSB). Benderskiy is accused of aiding the group's operations. CrowdStrike provided critical threat intelligence to law enforcement, aiding in the coalition's efforts to disrupt the activities of these individuals.
On October 1, 2024, the NCA and other international law enforcement bodies relaunched the BITWISE SPIDER's LockBit dedicated leak site (DLS). The site, which has been under law enforcement control since February 2024, now features nine sections documenting recent arrests, new findings, and other enforcement actions.
Among the newly sanctioned individuals is Maksim Yakubets, leader of INDRIK SPIDER and son-in-law of Benderskiy. Yakubets and fellow member Igor Turashev were previously indicted by the U.S. in 2019. Other sanctioned individuals include Sergey Ryzhenkov, Viktor Yabukets, Beyat Ramazanov, Aleksey Shchetinin, Vadim Pogodin, Artem Yakubets, Dmitry Slobodskoy, Kirill Slobodskoy, Dmitry Smirnov, Andrey Plotnitskiy, Denis Gusev, and Ivan Tuchkov.
Sanctions were jointly imposed by the governments of the U.S., U.K., and Australia. The move underscores a coordinated international effort to dismantle the operations of these cybercriminal groups. Law enforcement reports suggest that prior to 2019, Russian intelligence services tasked INDRIK SPIDER with conducting cyber-attacks and espionage against NATO member countries.
This recent action builds upon previous efforts, including the disruption of the GameOverZeus malware operation which was run by The Business Club, a precursor group to INDRIK SPIDER. Following the takedown of GameOverZeus in 2014, Yakubets, Turashev, and Ryzhenkov founded Evil Corp and developed the malware families Dridex and BitPaymer.
CrowdStrike's analysis uncovered significant connections between INDRIK SPIDER and BITWISE SPIDER, revealing how these groups collaborate across borders and blur operational lines. CrowdStrike observed INDRIK SPIDER deploying LockBit ransomware and conducting pre-ransomware activity throughout 2023 and into 2024.
Benderskiy's relationship with INDRIK SPIDER reportedly began after his daughter married Yakubets in 2017. His influence is said to have protected the group from Russian authorities following U.S. indictments in 2019. Moreover, Benderskiy was linked to other significant state operations, including the assassination of a Chechen dissident in Germany.
The newly revealed details further connect other INDRIK SPIDER members with various Russian state entities, such as the Foreign Intelligence Service (SVR) and the Main Directorate of the General Staff of the Armed Forces (GRU). This relationship aligns with findings from U.S. authorities that suggested INDRIK SPIDER had been conducting cyber-enabled operations for the Russian government since 2017.
This latest series of sanctions and indictments marks a significant step in the ongoing battle against cybercrime, highlighting the effectiveness of international cooperation in tackling sophisticated cyber threats.