Russian Hacker Dmitry Khoroshev Revealed as LockBit Ransomware Administrator

The UK’s National Crime Agency (NCA) has revealed the administrator and developer of the LockBit ransomware operation, revealing that he is a 31-year-old Russian citizen named Dmitry Yuryevich Khoroshev.

In addition, Khoroshev has also been sanctioned by the UK Foreign, Commonwealth and Development Office (FCD), the US Treasury Department’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.

Europol said in a press statement that authorities have more than 2,500 decryption keys and are continuing to contact LockBit victims to provide support.

Khoroshev, who goes by the nicknames LockBitSupp and putinkrab, has also been the subject of asset freezes and travel bans, and the U.S. State Department is offering a reward of up to $10 million for information leading to his arrest and/or conviction.

The agency has previously announced a reward of up to $15 million, seeking information on the identity and location of key leaders of the LockBit ransomware variant group, as well as information leading to the arrest and/or conviction of members of the group.

Meanwhile, an indictment unsealed by the Department of Justice (DoJ) charges Khoroshev with 26 counts, including one count of conspiracy to commit fraud, racketeering, and computer-related activities; eight counts of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion related to confidential information from a protected computer; and eight counts of extortion related to damage to a protected computer.

All told, the charges carry a maximum penalty of 185 years in prison. Each charge also carries a fine of up to $250,000, monetary gain to the offender or monetary harm to the victim.

According to the latest indictment, a total of six members related to the LockBit conspiracy have been charged, including Mikhail Vasilyev, Mikhail Matveyev, Ruslan Magomedovich ·Astamirov, Artur Songatov and Ivan Kondratiev.

NCA Director General Graeme Biggar said: “Today’s announcement puts another big nail in LockBit’s coffin as our investigation into them continues. and affiliates responsible for devastating ransomware attacks on large companies.”

LockBit, one of the most prolific ransomware-as-a-service (RaaS) groups, was disrupted in early February as part of a coordinated operation known as Cronos. The group is estimated to have targeted more than 2,500 victims worldwide and received more than $500 million in ransom payments.

Australian Foreign Minister Penny Wong said: “LockBit ransomware has been used to target Australian, British and American businesses, accounting for 18% of the total number of Australian ransomware incidents reported in 2022-23, with 119 reported victims.”

Under the RaaS business model, LockBit licenses its ransomware software to affiliates in exchange for an 80% cut of the ransom paid. The electronic criminal organization is also known for its dual extortion strategy, which involves stealing sensitive data from victims’ networks before encrypting their computer systems and demanding a ransom.

Khoroshev founded LockBit around September 2019 and is believed to have netted at least $100 million over the past four years as part of the scheme.

The NCA said: “The true impact of LockBit’s criminal conduct was previously unknown, but data obtained from its systems shows that more than 7,000 attacks were launched using its services between June 2022 and February 2024.” “The most affected The five countries are the United States, the United Kingdom, France, Germany and China.”

LockBit’s attempts to resurface after law enforcement actions were unsuccessful at best, prompting it to post old and fake victims on new leak sites.

“LockBit created a new leak site where they published targeted victim information and exaggerated apparent activity in attacks using other ransomware before the NCA took control of its services in February,” the agency noted.

As of February 24, the RaaS program was estimated to include 194 affiliates, 148 of which launched attacks and 119 negotiated ransoms with victims.

“Of the 119 individuals who began negotiations, 39 appear to have never received ransom,” the NCA noted. “Seventy-five individuals were not involved in any negotiations and therefore do not appear to have received any ransom.”

The number of active LockBit affiliates has dropped to 69, the NCA said, adding that LockBit does not regularly delete stolen data once the ransom is paid, and that it has discovered numerous cases where decryptors provided to victims did not work as expected. .

The U.S. Treasury Department said: “As the core leader of the LockBit organization and the developer of the LockBit ransomware, Khoroshev served in various operational and management roles for cybercriminal organizations and financially benefited from LockBit ransomware attacks. .

“Khoroshev facilitated upgrades to LockBit’s infrastructure, recruited new developers for the ransomware, and managed LockBit affiliates. He was also responsible for LockBit’s continued operations after it was breached by the United States and its allies earlier this year. effort.