A Russian national has been named by law enforcement as being the mastermind behind the notorious LockBit ransomware operation.
The man, Dimitry Yuryevich Khoroshev, 31, of Voronezh, Russia, also known as LockBitSupp, LockBit, and putinkrab, has been charged by the US Justice Department in a 26-count indictment for creating and operating the LockBit ransomware-as-a-service (RaaS).
According to the indictment, Khoroshev was involved in designing LockBit, recruited affiliates to deploy the malware against victims, maintained the RaaS infrastructure and the LockBit leak site, and allegedly received over $100 million in proceeds as share from the ransom payments made by the victims.
The LockBit RaaS started operations in September 2019 and was disrupted by law enforcement in February 2024. Despite that, however, the RaaS administrators managed to restore some of the infrastructure, launched a new leak site, and resumed operations shortly after.
According to the indictment, LockBit was used in attacks against over 2,500 victims in more than 120 countries, including 1,800 victims in the US.
The ransomware group targeted individuals, small businesses, critical infrastructure, hospitals, schools, corporations, non-profit organizations, and government and law enforcement agencies, receiving at least $500 million in ransom payments.
In addition to encrypting it, the LockBit group exfiltrated data from targeted organizations and used it to pressure victims, threatening to make the data public unless a ransom was paid.
Following the February 2024 disruption, law enforcement authorities learned that Khoroshev retained copies of the stolen data, even when the victims paid the ransom, although he and the LockBit affiliates had promised to delete the data after payment.
Khoroshev is charged with fraud, extortion, and damaging protected computers. In total, the charges carry a maximum penalty of 185 years in prison.
Khoroshev is the sixth individual charged for his role in the LockBit operation. Previously, charges were announced against Mikhail Vasiliev, Mikhail Matveev, Ruslan Magomedovich Astamirov, Artur Sungatov, and Ivan Kondratyev.
On Tuesday, the US also announced sanctions against Khoroshev, and a reward of up to $10 million for information leading to his arrest. Previously, the US announced a $10 million reward for information on the LockBit group leaders.
Sanctions were also announced on Tuesday by the United Kingdom and Australia.
In February, the LockBit infrastructure was severely disrupted by an international law enforcement effort called Operation Cronos, which resulted in two arrests, 34 servers taken down, more than 14,000 rogue accounts closed, and over 200 cryptocurrency accounts frozen.
LockBit affiliates identified, decryption keys available
After infiltrating the LockBit infrastructure, the UK National Crime Agency (NCA) discovered that the group carried out over 7,000 attacks between June 2022 and February 2024, mainly against entities in the US, UK, France, Germany, and China, including over 100 hospitals and healthcare organizations.
More than 2,100 of the victims engaged in some form of negotiation with the group, and the NCA believes that the group has extorted over $1 billion from its victims.
While LockBit continues to operate, its activity is currently reduced by more than 70% compared to the pre-disruption levels, at least in the UK. The currently active affiliates are less sophisticated and have lower impact, the NCA says.
Prior to the disruption, the NCA identified 194 affiliates using the LockBit RaaS, but that number has dropped to 69 since February. The NCA has provided a list with all the discovered identities, including full names for the newer affiliates.
The agency says it is currently in the possession of over 2,500 decryption keys and is contacting LockBit victims to help them recover their data.
As Operation Cronos continues with support from law enforcement agencies in 10 countries, Europol on Tuesday announced that over 3,500 LockBit victims in 33 countries were identified, underlining that victims can use a free recovery tool – available on the NoMoreRansom site – to restore their data.
Related: LockBit Ransomware Affiliate Sentenced to Prison in Canada
Related: Watch on Demand: Ransomware Resilience & Recovery Summit Sessions
Related: Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency
