International Authorities Indict, Sanction Additional INDRIK SPIDER Members and Detail Ties to BITWISE SPIDER and Russian State Activity

CrowdStrike often collaborates with law enforcement agencies to identify, track and stop cyber threats. We recently worked with law enforcement stakeholders within the U.K.’s National Crime Agency as part of a broader effort to disrupt a senior member of INDRIK SPIDER, who was also an affiliate of BITWISE SPIDER’s LockBit ransomware-as-a-service (RaaS) operation. CrowdStrike provided important threat intelligence on the adversaries and their motivations in order for these steps to be taken. In this blog, we discuss the indictment and provide in-depth analysis on the threat actors involved.

Beginning on October 1, 2024, an international law enforcement coalition led by the U.K.’s National Crime Agency (NCA) relaunched BITWISE SPIDER’s LockBit dedicated leak site (DLS) with nine sections documenting recent arrests, new findings and other law enforcement activity. The coalition announced a new indictment against Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester, Kotosel), an affiliate of BITWISE SPIDER’s LockBit RaaS and a senior INDRIK SPIDER member.

The coalition also announced new sanctions against previously identified INDRIK SPIDER members and a former officer in Russia’s Federal Security Service (FSB) accused of aiding the group1,2. Law enforcement claimed that prior to 2019, Russian intelligence services tasked INDRIK SPIDER with conducting unspecified offensive cyber operations against North Atlantic Treaty Organization (NATO) countries, thereby reinforcing previous assessments about Russia's likely use of cybercriminals to support state operations.

On September 30, 2024, BITWISE SPIDER’s DLS — which has been under U.K. and U.S. law enforcement’s control since its seizure in February 2024 — featured eight new tiles displaying a 30-hour countdown and one tile displaying an approximate seven day and 16 hour countdown leading to the closure of the LockBit DLS. On October 1, 2024, the eight 30-hour tiles revealed several new events and findings pertaining to NCA’s Operation Cronos, which first disrupted BITWISE SPIDER in February 2024. 

Some of the new findings pertain to eCrime adversary INDRIK SPIDER and the role that one of its operators, Aleksandr Ryzhenkov, played as a BITWISE SPIDER affiliate. The findings also detail renewed sanctions against INDRIK SPIDER members (Table 1) and provide further information about the adversary’s relationship with Russian security services. 

CrowdStrike Counter Adversary Operations has tracked INDRIK SPIDER (aka Evil Corp) since 2010. Throughout its tenure, the adversary has developed the Dridex banking trojan and several ransomware variants, including BitPaymer and WastedLocker

Indictment of INDRIK SPIDER member Aleksandr Ryzhenkov

On October 1, 2024, the U.S. Department of Justice unsealed an indictment against Aleksandr Ryzhenkov, a senior member of INDRIK SPIDER since at least 2013, for their involvement in INDRIK SPIDER’s BitPaymer ransomware.3 Along with Maksim Yakubets and Igor Turashev, both previously indicted by the U.S. in 2019, Ryzhenkov was a member of the now-defunct eCrime group The Business Club, which operated the GameOverZeus malware. 

Shortly after law enforcement took down GameOverZeus in 2014,4 Yakubets, Turashev, and Ryzhenkov formed Evil Corp and developed the malware families Dridex and BitPaymer

Ryzhenkov was likely responsible for INDRIK SPIDER's ransomware operations, including BitPaymer.5 Additionally, Ryzhenkov’s brother Sergey Ryzhenkov—who likely uses the moniker Epoch—was also linked to BitPaymer. Likely operating on behalf of INDRIK SPIDER, Aleksandr Ryzhenkov was also a BITWISE SPIDER affiliate using the moniker Beverley

BITWISE SPIDER and INDRIK SPIDER Connections

The newly published information on the seized LockBit DLS from the NCA and the Federal Bureau of Investigation (FBI) confirmed INDRIK SPIDER member Aleksander Ryzhenkov also operated the BITWISE SPIDER affiliate known as Beverley. CrowdStrike Counter Adversary Operations first observed a connection between BITWISE SPIDER and INDRIK SPIDER in October 2022 via blockchain analysis and analysis of malware that linked to both groups. This activity continued throughout 2023, when CrowdStrike Counter Adversary Operations observed INDRIK SPIDER deploying LockBit ransomware at additional entities and conducting likely pre-ransomware activity. 

Throughout 2024, INDRIK SPIDER gained initial access to multiple entities through the Fake Browser Update (FBU) malware-distribution service. The adversary was last seen deploying LockBit during an incident that occurred during Q2 2024.

Former FSB Officer Sanctioned for Relationship with INDRIK SPIDER

Among the individuals the coalition sanctioned is Eduard Benderskiy (Bendersky), a former FSB officer and father-in-law to INDRIK SPIDER leader Maksim Yakubets. Benderskiy's known association with INDRIK SPIDER likely began with Yakubets' 2017 marriage to Benderskiy's daughter. 

Benderskiy, who operates several private security companies and a charity for FSB officers, maintains close ties with the Russian state. Investigative researchers directly connected Benderskiy to the 2019 FSB-orchestrated assassination of a Chechen dissident in Germany by Vadim Krasikov; this connection further reinforces Benderskiy’s ties to Russia-state operations.6

According to law enforcement reports, Benderskiy helped facilitate additional relationships between INDRIK SPIDER and Russia’s intelligence services. The reports specify that Benderskiy used his influence to protect the group from Russian authorities following the U.S.’s 2019 indictments and sanctions of INDRIK SPIDER members.7

Notably, the reports also state that Maksim Yakubets sought to develop relationships with Russia’s Foreign Intelligence Service (SVR) and the GRU (aka GU, the Russian Federation’s Main Directorate of the General Staff of the Armed Forces). Other INDRIK SPIDER members also reportedly “have their own ties with the Russian state” independent of the Benderskiy-Yakubets relationship.

According to the 2024 reports, prior to 2019, Russian intelligence services tasked INDRIK SPIDER with conducting “cyber-attacks and espionage” targeting NATO member countries. The report did not provide further information about these intrusion operations. 

In 2019, U.S. authorities alleged that Yakubets had maintained a relationship with the FSB since at least 2017 and that INDRIK SPIDER had been tasked with conducting “cyber-enabled operations” on behalf of the Russian government, consistent with CrowdStrike Counter Adversary Operations assessments concerning Russian intelligence using domestic cyber criminals to support offensive cyber operations. 

Full List of Sanctions and Indictments  

The announcement on the LockBit DLS coincided with a raft of new sanctions against INDRIK SPIDER members by the governments of the U.K., U.S. and Australia (Table 1). 

Name

Indictment Date
and Enforcing Country

Sanctioned Date
and Enforcing Country

Aleksandr Ryzhenkov

October 2024 — U.S.

October 2024 — U.S., U.K., Australia

Sergey Ryzhenkov

 

October 2024 — U.S., U.K.

Maksim Yakubets

November 2019 — U.S.

October 2024 — U.K., Australia
December 2019 — U.S.

Igor Turashev

November 2019 — U.S.

October 2024 — U.K., Australia
December 2019 — U.S.

Eduard Benderskiy

 

October 2024 — U.S., U.K.

Viktor Yakubets

 

October 2024 — U.S., U.K.

Beyat Ramazanov

 

October 2024 — U.S., U.K.

Aleksey Shchetinin 

 

October 2024 — U.S., U.K.

Vadim Pogodin

 

October 2024 — U.S., U.K.

Artem Yakubets  

 

October 2024 — U.K.

December 2019 — U.S.

Dmitry (Dima) Slobodskoy

 

October 2024 — U.K.

December 2019 — U.S.

Kirill Slobodskoy

 

October 2024 — U.K.

December 2019 — U.S.

Dmitry Smirnov

 

October 2024 — U.K.

December 2019 — U.S.

Andrey Plotnitskiy

 

October 2024 — U.K.

December 2019 — U.S.

Denis Gusev

 

October 2024 — U.K.
December 2019 — U.S.

Ivan Tuchkov

 

October 2024 — U.K.
December 2019 — U.S.

Table 1. List of individuals named in sanctions by U.S., U.K. and Australia

 

  1. https[:]//www.gov[.]uk/government/news/uk-sanctions-members-of-notorious-evil-corp-cyber-crime-gang-after-lammy-calls-out-putins-mafia-state
  2. https[:]//home.treasury[.]gov/news/press-releases/jy2623
  3. https[:]//www.justice[.]gov/opa/pr/russian-national-indicted-series-ransomware-attacks
  4. https[:]//www[.]justice[.]gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware
  5. Ryzhenkov likely also used the monikers MrAkobek, Lizardking, and j.d.m0rr1son (exact spelling of moniker may vary) and may have shared lizardking_sup with another unidentified threat actor.
  6. https[:]//www[.]bellingcat[.]com/news/uk-and-europe/2020/02/17/v-like-vympel-fsbs-secretive-department-v-behind-assassination-of-zelimkhan-khangoshvili/
  7. https[:]//home[.]treasury[.]gov/news/press-releases/sm845 || https[:]//www[.]nationalcrimeagency[.]gov[.]uk/who-we-are/publications/732-evil-corp-behind-the-screens/file
Breaches Stop Here