Evil Corp. – A Russian Organized Crime Group – Overview

Evil Corp (aka Indrik Spider) a Major Russian Cybercriminal Organization

Who is Evil Corp?

Evil Corp (also known as Indrik Spider) originated in Russia and is the most pervasive cybercrime group to ever have operated. Maksim Yakubets, who also goes by the online alias ‘Aqua’ and has a $5 million bounty for his arrest, was Evil Corp’s founder and led the group for the majority of its lifespan.

One of the first major financial cybercrime groups, Evil Corp. developed a series of malware and ransomware strains that have caused significant harm to numerous organizations and sectors, including healthcare, critical national infrastructure, and government.

Several law enforcement and government operations have taken place to disrupt the group since its formation, most notably in the form of sanctions and indictments in December 2019. As a result, the group has been forced to scrap its modus operandi and attempt new tactics to evade the additional scrutiny
and restrictions put on them.

Characterized by their longevity, adaptability, organizational hierarchy, and close links with the Russian state, Evil Corp. has proved a persistent threat for over a decade, and members continue to operate within the Russian Federation. However, since late-2019, their success and influence in the cybercrime ecosystem
have dwindled.

This is based on a UK National Crime Agency paper that provides a high-level overview of the group’s origins, operations, and evolution.

The Evil Corp Group

The majority of organized cybercrime groups operate predominately online, but Maksim Yakubets’ Evil Corp was a more personal affair: a family-centered operation based in Moscow, reminiscent of a traditional organized crime gang.

The Yakubets family were no strangers to financial crime: Viktor Yakubets, father of Maksim, had significant historical ties to money laundering activity. Maksim took this family business into the 21st century, branching into cybercrime and bringing his father, brother (Artem), and cousins (Kirill and Dmitry Slobodskoy) along with him.

By drawing on this family knowledge, Evil Corp became experts in laundering the proceeds of their cybercriminal activities.

Highly organized, a huge amount of resources was invested in professionalizing their business, whether that be by managing money mule networks, cryptocurrency trading, setting up front companies or employing lawyers. Although their technical capabilities were advanced, it was arguably their ability to realize the proceeds of their cybercrime that made them so successful.

At their peak, Evil Corp was a tight-knit group, operating out of physical office locations in Moscow (including Chianti Café and Scenario Café), and spending a lot of time socializing together, along with their wives and girlfriends. They even went on group holidays.

Maksim was the leader of the group, making all of the important decisions and keeping a firm grip on their activities. He was careful about exposing different group members to different areas of the business, even keeping details of his work secret from his wife.

However, he clearly placed a lot of trust in his long-term associate and second-in-command, Aleksandr Ryzhenkov. Yakubets started working with Ryzhenkov around 2013 whilst they were both still involved in The Business Club. The partnership endured, and they worked together on a number of Evil Corp’s most prolific ransomware strains.

Cyber Proxies: Evil Corp. and the Russian State

Whilst most cybercriminal activity is financially motivated, the Russian Intelligence Services have in some reported cases directed cybercriminals to conduct malicious cyber activity or used malware strains for espionage purposes. For example, in 2017, two Russian FSB officers were indicted by the US Department of Justice (DoJ) for directing criminal hackers to compromise 500 million Yahoo accounts. Another notable Russian cybercriminal, Vitaly Kovalev, who was sanctioned by the UK and US governments in 2023 for his senior role in the Trickbot cybercrime group, also had a relationship with the Russian Intelligence Services.

Evil Corp held a privileged position, and the relationship between the Russian state and this cybercriminal group went far beyond the typical state-criminal relationship of protection, payoffs, and racketeering. In fact, prior to 2019, Evil Corp was tasked by Russian Intelligence Services to conduct cyber-attacks and espionage operations against NATO allies.

Liaison with the intelligence services was led by Maksim Yakubets. As Evil Corp evolved, he became the group’s main contact with Russian officials, developing or seeking to develop relationships with FSB, SVR, and GRU officials. Multiple other members of the Evil Corp group have their own ties with the Russian state.

In particular, Yakubets’ father-in-law, Eduard Benderskiy, was a key enabler of Evil Corp’s state relationships.

Eduard Benderskiy is a former high-ranking official of the FSB’s secretive ‘Vympel’ unit and now owns various organizations carrying the ‘Vympel’ name. It has been reported by Bellingcat that through Vympel, Benderskiy has been involved in multiple overseas assassinations on behalf of the Russian state. Evidently, he is a highly connected individual still closely involved with the Kremlin’s activities.

Benderskiy leveraged his status and contacts to facilitate Evil Corp’s developing relationships with officials from the Russian Intelligence Services. After the US sanctions and indictments against Evil Corp members in December 2019, Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by internal Russian authorities.

Timeline of Evil Corp.’s Activity

2007-2011: The Early Days

• • Maksim Yakubets, leader of the Evil Corp OCG, probably began his involvement in cybercrime activity around 2007.
  • Since at least 2009, Yakubets worked with several notorious cybercriminals including Evgeniy Bogachev and Vitaliy Kovalev (involved in Dyre, Trickbot and Conti) to deploy malware.

2011-2014: The Business Club

• • A number of Russian-speaking cybercriminals, including Maksim Yakubets and Vitaliy Kovalev, came together to form The Business Club cybercrime group. Yakubets would later team up with other members, Igor Turashev and Aleksandr Ryzhenkov, in Evil Corp.
  • Aleksandr Ryzhenkov was part of an affiliate group of The Business Club which specialised in bank transfer fraud against the UK.

2014: Dridex and the Formation of Evil Corp as an OCG

• • Maksim Yakubets worked with Aleksandr Ryzhenkov and other former members of The Business Club to create Dridex malware.
  • Dridex was brought into operation in June 2014 and went on to become one of the most prolific and successful banking malware strains to date. The group set up the domain Ev17corp.biz to coordinate their operations, and Evil Corp was born.
  • Much like current Ransomware as a Service (RaaS) models, Evil Corp segmented and rented out the Dridex botnet to affiliates who could use it for their own malicious cyber operations.

2017-2018: BitPaymer – The Group Begins Using Ransomware

• • In mid-2017, Evil Corp used Dridex to start deploying ransomware. BitPaymer was used in a number of big game hunting attacks, targeting high value or high-profile organizations.

2019-2020: The Split – DoppelPaymer

• • After an acrimonious split between Maksim Yakubets and another key Evil Corp member, Igor Turashev (beginning in mid-2019 but exacerbated by the December 2019 disruption), the group divided, and Turashev led the development of DoppelPaymer ransomware. DoppelPaymer was first observed in mid-2019 and continued infecting organizations throughout 2020.
  • Since 2023, Igor Turashev is wanted by the German authorities for his involvement in DoppelPaymer ransomware.
  • The remaining Evil Corp group, led by Yakubets and Ryzhenkov, began developing a new ransomware that would eventually become WastedLocker.

December 2019: US/UK Disruption

• • Following operational support from the NCA, the US Treasury Office for Foreign Assets Control (OFAC) designated Evil Corp and a number of its members. The US Department of Justice also announced indictments and State Department rewards for information leading to the arrest of Maksim Yakubets and Igor Turashev.
  • The disruptions in 2019 brought significant cost and risk to the group’s operations and bred mistrust and paranoia.

2020: Obfuscation and Evasion – WastedLocker

• • Evil Corp. was forced to transform its modus operandi to further obfuscate its activities. This included no longer using Dridex and switching to the initial access tool SocGholish.
  • The individuals became more secretive, abandoning online accounts and restricting their movements.
  • Despite attempts to obfuscate their activities, Evil Corp was attributed to the WastedLocker ransomware strain, which they started deploying in mid-2020.

2020-2021: Hades, Phoenix Locker, PayloadBIN and Macaw

• • Evil Corp continued to adapt and change their ransomware strains. They developed and deployed further ransomware strains Hades, Phoenix Locker, PayloadBIN, and Macaw, all of which shared a similar codebase.
  • One of the notable attacks using Phoenix Locker resulted in a $40 million ransomware payment, the largest ever recorded at the time.
    2022-2024: Diversification and Affiliation to LockBit
  • Whilst many original members are suspected to have gone on to other activity, some remaining Evil Corp members and affiliates have been involved in deploying other ransomware strains since 2022, including LockBit, continuing to employ SocGholish as an initial access tool.
  • The NCA has determined that Aleksandr Ryzhenkov, Yakubets’ right-hand man, is a LockBit affiliate and has been involved in LockBit ransomware attacks against numerous organizations.
  • LockBit ransomware was disrupted by an NCA-led international law enforcement takedown in February 2024 under Operation Cronos.
  • Other members of the group continue to operate within the Russian Federation. For example, in December 2022, Igor Turashev and his company came third in a hackathon organized by the Wagner group.

Recent Action

Further Evil Corp. cybercriminals exposed following NCA investigation, one unmasked as LockBit affiliate, as UK, US, and Australia unveil sanctions.

16 members of Evil Corp, once believed to be the most significant cybercrime threat in the world have been sanctioned in the UK with their links to the Russian state and other ransomware groups, including LockBit, exposed. Sanctions have also been imposed by Australia and the US.

An extensive investigation by the NCA has helped map out the history and reach of Evil Corp’s criminality; from a family-centered financial crime group in Moscow that branched out into cybercrime, going on to extort at least $300 million from victims globally.

Today, the head of Evil Corp, Maksim Yakubets, and eight of those sanctioned by the US in 2019 have also been sanctioned in the UK by the Foreign, Commonwealth and Development Office, along with an additional seven individuals whose links and support for the group have not previously been exposed.

This includes Aleksandr Ryzhenkov, Yakubets’ right-hand man who has also been identified as a LockBit affiliate as part of Operation Cronos – the ongoing NCA-led international disruption of the group.

Conclusion

Evil Corp’s story is a prime example of the evolving threat posed by cybercriminals and ransomware operators. In their case, the activities of the Russian state played a particularly significant role, sometimes even co-opting this cybercrime group for its own malicious cyber activity. Born out of a coalescing of elite cybercriminals, Evil Corp.’s sophisticated business model made them one of the most pervasive and persistent cybercrime adversaries to date. After
being hampered by the December 2019 sanctions and indictments, the group has been forced to diversify its tactics as it attempted to continue causing harm whilst adapting to the changing cybercrime ecosystem. In 2024, further action taken against Evil Corp by the United Kingdom, United States, and Australian governments proves their attempts have not gone unnoticed and will not go unchallenged.