The United States today joins the United Kingdom and Australia in sanctioning a 31-year-old Russian citizen Dmitry Yuryevich Khoroshev As the alleged leader of a notorious ransomware group lock bit.this U.S. Department of Justice Khoroshev was also indicted, accusing him of using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.
Pictured: Britain’s National Crime Agency.
Khoroshev (played by Dmitry Yuryevich Khoroshev), a resident of Voronezh, Russia, was indicted on 26 counts by a New Jersey grand jury.
“Dmitry Khoroshev conceived, developed and managed Lockbit, the world’s most prolific ransomware variant and ransomware gang, enabling himself and his affiliates to wreak havoc, causing dozens of deaths to thousands of victims worldwide. Billion dollar losses. U.S. Attorney Philip R. Salinger the Justice Department said in a statement.
The indictment alleges that Khoroshev served as the developer and administrator of the LockBit ransomware group from its inception in September 2019 to May 2024, and he typically received a 20% share of each ransom extorted from LockBit victims.
LockBit victims include individuals, small businesses, multinational corporations, hospitals, schools, nonprofits, critical infrastructure, and government and law enforcement agencies, the government said.
“Khoroshev and his co-conspirators extorted at least $500 million in ransom from victims and caused billions of dollars in broader losses, such as lost revenue, incident response and recovery losses,” the DOJ said. ” The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”
Nearly three months ago, U.S. and British authorities seized a darknet site operated by LockBit and revamped it with press releases about the law enforcement operation and free tools to help LockBit victims decrypt infected systems.
The FBI used existing designs from the LockBit victim-shaming website to issue press releases and free decryption tools.
One of the blog titles left by authorities on the seized website was a teaser page that promised to reveal the true identity of the leader of the ransomware gang, which read “Who is LockbitSupp?” The project features a countdown clock before the big reveal, but no such details were provided when the site’s timer expired.
Following the FBI raid, LockBitSupp took to Russian cybercrime forums to assure its partners and affiliates that the ransomware operation was still fully operational. LockBitSupp also brought up another group of darknet sites that were quick to promise to publish stolen material from some LockBit victims who had been redeemed prior to FBI raids.
One of the victims LockBitSupp continues to extort is Fulton County, Georgia. But when Fulton County officials refused to pay and the timer expired, the stolen records were never released. Experts say the FBI is likely to have actually seized all of the data stolen from LockBit.
LockBitSupp also boasted that their true identities would never be revealed, and at one point offered to pay $10 million to anyone who could discover their real names.
KrebsOnSecurity has been in on-and-off contact with LockBitSupp for several months in the course of reporting on various LockBit victims. LockBitSupp obtained the same ToX messaging identity promoted by the leader of the ransomware group on a Russian cybercriminal forum, claiming that authorities had named him incorrectly.
“That’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI connected me to this poor guy. Where is my logic chain? Don’t you feel sorry for an innocent person?
LockBitSupp, currently has a $10 million reward for his arrest U.S. Department of State, is known to be flexible with the facts. The Lockbit group often performs “double extortion” on victims – demanding payment of a ransom to obtain the key to unlock the hijacked system, and an additional ransom in exchange for a promise to delete the data stolen from the victim.
But Justice Department officials said LockBit never deleted its victims’ data, regardless of whether the groups paid ransom to prevent the information from being published on LockBit’s victim-shaming website.
Khoroshev is the sixth person to be formally indicted as an active member of LockBit.Government calls Russian nationals Artur Sangatov Victims using LockBit ransomware to attack manufacturing, logistics, insurance and other companies across the United States.
Ivan Gennadyevich KondratievAlso known as “Basserlord,” it is alleged to have deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts for allegedly using a variant of the Sodinokibi (aka “REvil”) ransomware to encrypt data, exfiltrate victim information, and extort ransom from a corporate victim in Alameda County, California. crime.
In May 2023, U.S. authorities filed an indictment against two alleged LockBit affiliates. Mikhail “Vazavaka” Matveyev and Mikhail Vasilyev. In January 2022, KrebsOnSecurity published “Who is the Internet Access Broker “Wazawaka””. The book traced the clues provided by Wazawaka’s many pseudonyms and contact information on Russian-language cybercrime forums to Abaza, Russia. 31-year-old Mikhail Matveev.
Matveyev remains at large, possibly still in Russia. Meanwhile, the U.S. State Department is offering a $10 million reward for information leading to Matveyev’s arrest.
Vasiliev, 35, from Bradford, Ontario, Canada, is currently detained in Canada awaiting extradition to the United States (the complaint against Vasiliev is available here as a PDF).
June 2023, Russian nationals Ruslan Magomedovich Astamirov Charged in New Jersey for participating in the LockBit conspiracy, which included deploying LockBit against victims in Florida, Japan, France and Kenya. Astamirov is currently detained in the United States awaiting trial.
The Department of Justice urges intended victims of LockBit to contact the FBI at https://lockbitvictims.ic3.gov/ to file a formal complaint and determine whether the affected systems can be successfully decrypted.
