The leader of the notorious LockBit ransomware gang has had their identity revealed after a law enforcement takedown of the group’s infrastructure in February.
The individual is Russian national Dmitry Yuryevich Khoroshev. He has been sanctioned by the UK, US and Australia, following a National Crime Agency-led (NCA) international disruption campaign, Operation Cronos.
LockBitSupp Faces International Sanctions
Khoroshev, aka LockBitSupp, thrived on anonymity and offered a $10m reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans, the NCA said in a statement published on 7 May 2024.
US partners have also unsealed an indictment against him and are offering a reward of up to $10m for information leading to his arrest and/or conviction.
US Attorney Philip R. Sellinger for the District of New Jersey said Khoroshev personally pocketed $100 million extorted from Lockbit’s victims.
NCA Director General Graeme Biggar said: “These sanctions are hugely significant and show that there is no hiding place for cybercriminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong.”
Biggar said that the NCA and its partners are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world.
The actions targeting Khoroshev form part of an extensive and ongoing investigation into the LockBit group by the NCA, FBI, and international partners who form the Operation Cronos taskforce.
Read more: LockBit Takedown - What You Need to Know about Operation Cronos
LockBit’s Criminal Impact
The NCA highlighted the impact of LockBit’s ransomware attacks, the true impact of which was previously unknown.
Data obtained from the gang’s systems by law enforcement showed that between June 2022 and February 2024, more than 7000 attacks were built using their services. The top five countries hit were the US, UK, France, Germany and China.
Attacks targeted over 100 hospitals and healthcare companies and at least 2110 victims were forced into in some degree of negotiation by cyber criminals.
LockBit Attacks Reduced by over 70%
Many commentators in the cybersecurity community have suspected that despite Operation Cronos the ransomware gang would attempt to rebuild and return, even if under a different guise.
The NCA confirmed that the group has attempted to rebuild, however, because of the ongoing investigation they are currently running at limited capacity and the global threat from LockBit has significantly reduced.
Don Smith, VP, Secureworks Counter Threat Unit (CTU) commented: “Since Operation Cronos took disruptive action, LockBit has been battling to reassert its dominance and, most importantly, its credibility within the cybercriminal community. The psychological element of the action taken by law enforcement was extremely effective, the group’s efforts to re-establish its previous reputation have not gone particularly well.”
A recent Chainalysis report recorded evidence of a decrease in ransomware operations’ profitability following recent law enforcement takedowns against ransomware groups.
LockBit have created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains.
The average number of monthly LockBit attacks has reduced by 73% in the UK since February’s action, with other countries also reporting reductions, according to the NCA.
A total of 194 affiliates have been identified as using LockBit’s services up until February 2024.
The NCA and international partners are now in possession of over 2,500 decryption keys and are continuing to contact LockBit victims to offer support. The Agency has so far proactively reached out to nearly 240 LockBit victims in the UK.