The U.K. National Crime Agency (NCA) has unmasked the administrator and developer of the LockBit ransomware operation, revealing it to be a 31-year-old Russian national named Dmitry Yuryevich Khoroshev.
In addition, Khoroshev has been sanctioned by the U.K. Foreign, Commonwealth and Development Office (FCD), the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the Australian Department of Foreign Affairs.
Europol, in a press statement, said authorities are in possession of over 2,500 decryption keys and are continuing to contact LockBit victims to offer support.
Khoroshev, who went by the monikers LockBitSupp and putinkrab, has also become the subject of asset freezes and travel bans, with the U.S. Department of State offering a reward of up to $10 million for information leading to his arrest and/or conviction.
Previously, the agency had announced reward offers of up to $15 million seeking information leading to the identity and location of key leaders of the LockBit ransomware variant group as well as information leading to the arrests and/or convictions of the group’s members.
Concurrently, an indictment unsealed by the Department of Justice (DoJ) has charged Khoroshev on 26 counts, including one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion in relation to confidential information from a protected computer; and eight counts of extortion in relation to damage to a protected computer.
In all, the charges carry a maximum penalty of 185 years in prison. Each of the charges further carries a monetary penalty that’s the greatest of $250,000, pecuniary gain to the offender, or pecuniary harm to the victim.
With the latest indictment, a total of six members affiliated with the LockBit conspiracy have been charged, including Mikhail Vasiliev, Mikhail Matveev, Ruslan Magomedovich Astamirov, Artur Sungatov, and Ivan Kondratyev.
“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues,” NCA Director General Graeme Biggar said. “We are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world.”
LockBit, which was one of the most prolific ransomware-as-a-service (RaaS) groups, was dismantled as part of a coordinated operation dubbed Cronos earlier this February. It’s estimated to have targeted over 2,500 victims worldwide and received more than $500 million in ransom payments.
“LockBit ransomware has been used against Australian, UK and US businesses, comprising 18% of total reported Australian ransomware incidents in 2022-23 and 119 reported victims in Australia,” Penny Wong, Minister for Foreign Affairs of Australia, said.
Under the RaaS business model, LockBit licenses its ransomware software to affiliates in exchange for an 80% cut of the paid ransoms. The e-crime group is also known for its double extortion tactics, where sensitive data is exfiltrated from victim networks before encrypting the computer systems and demanding ransom payments.
Khoroshev, who started LockBit around September 2019, is believed to have netted at least $100 million in disbursements as part of the scheme over the past four years.
“The true impact of LockBit’s criminality was previously unknown, but data obtained from their systems showed that between June 2022 and February 2024, more than 7,000 attacks were built using their services,” the NCA said. “The top five countries hit were the US, UK, France, Germany and China.”
LockBit’s attempts to resurface after the law enforcement action have been unsuccessful at best, prompting it to post old and fake victims on its new data leak site.
“LockBit have created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains,” the agency noted.
The RaaS scheme is estimated to have encompassed 194 affiliates until February 24, out of which 148 built attacks and 119 engaged in ransom negotiations with victims.
“Of the 119 who began negotiations, there are 39 who appear not to have ever received a ransom payment,” the NCA noted. “Seventy-five did not engage in any negotiation, so also appear not to have received any ransom payments.”
The number of active LockBit affiliates has since dropped to 69, the NCA said, adding LockBit did not routinely delete stolen data once a ransom was paid and that it uncovered numerous instances where the decryptor provided to victims failed to work as expected.
“As a core LockBit group leader and developer of the LockBit ransomware, Khoroshev has performed a variety of operational and administrative roles for the cybercrime group, and has benefited financially from the LockBit ransomware attacks,” the U.S. Treasury Department said.
“Khoroshev has facilitated the upgrading of the LockBit infrastructure, recruited new developers for the ransomware, and managed LockBit affiliates. He is also responsible for LockBit’s efforts to continue operations after their disruption by the U.S. and its allies earlier this year.”
