Exposed and Condemned: Russian Lockbit Ransomware Ringleader Revealed, Indicted, Sanctioned, and Banned
Two months after a multi-country operation busted the Lockbit’s infrastructure, law enforcement in the U.S., U.K., and Europe have revealed the identity of the ransomware gang’s chieftain. With the infra seized and its leader exposed, officials hope it will suppress the syndicate’s malicious operations. However, experts believe that a resurgence is just as possible.
- Two months after a multi-country operation busted the Lockbit’s infrastructure, law enforcement in the U.S., U.K., and Europe have revealed the identity of the ransomware gang’s chieftain.
- Lockbit started its operations in September 2019 and emerged as one of the most active ransomware gangs.
- With the infra seized and its leader exposed, officials hope it will suppress the syndicate’s malicious operations.
- However, experts believe that a resurgence is just as possible.
This week, the U.S. and European law enforcement revealed the identity of a Russian national supposedly operating as the admin of Lockbit, one of the most prolific ransomware gangs today. Subsequently, the FBI, U.K. National Crime Agency (NCA), and Europol have sanctioned this individual following the U.S. Department of Justice’s 26-count indictment.
Thirty-one-year-old Dimitry Yuryevich Khoroshev, aka LockBitSupp, LockBit, and putinkrab, is a resident of Voronezh, Russia. His leadership role in Lockbit’s activities led to the victimization of over 2,000 organizations and pocketing illicit ransomware proceeds of more than $100 million of the $1 billion the gang extorted out of its victims.
“The true impact of LockBit’s criminality was previously unknown, but data obtained from their systems showed that between June 2022 and February 2024, more than 7,000 attacks were built using their services. The top five countries hit were the U.S., UK, France, Germany and China,” according to the UK’s National Crime Agency.
Law enforcement unmasked Lockbit’s admin a couple of months after it took down the ransomware syndicate’s infrastructure in February this year as part of Operation Cronos. The U.S., the UK and Australia have frozen his assets, banned his travel, and sanctioned him.
Khoroshev has a $10 million bounty for his arrest or conviction by the U.S. Department of State. “I’m not sure the $10M reward will ever be paid, but this news is HUGE!! Law enforcement has uncovered the secret identity behind the largest and most prolific ransomware provider in the world and made it significantly harder for him and his affiliates to operate and be successful.” Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, told Spiceworks News & Insights.
“He will forever have to be worried about who in his circle might turn him in. And this is just one of dozens of things law enforcement has done over the last few years to make it harder for ransomware groups to do what they do and each success is to be celebrated.”
The Lockbit ransomware gang is notorious for targeting critical infrastructure, schools, hospitals, government and non-government organizations, multinational corporations, and small businesses. In 2023, the group’s operators and syndicates were responsible for 25% of ransomware attacks.
“I’m not sure this will have a devastating impact on the ransomware industry because there’s always someone waiting in the wings to become the new ringleader, but this is a good day for Justice and all Internet users. Let’s hope that we continue to see law enforcement be more and more successful,” Grimes added.
See More: France Prepares for Surge in Cyberattacks Ahead of Paris Olympics
The U.S. government has previously charged and indicted five other Lockbit members: Artur Sungatov and Ivan Kondratyev aka Bassterlord (February 2024), Ruslan Magomedovich Astamirov (June 2023), Mikhail Matveev aka Wazawaka, m1x, and Boriselcin (May 2023), and Mikhail Vasiliev (November 2022).
Khoroshev is charged with:
- One count of conspiracy to commit fraud, extortion, and related activity in connection with computers
- One count of conspiracy to commit wire fraud
- Eight counts of intentional damage to a protected computer
- Eight counts of extortion concerning confidential information from a protected computer
- Eight counts of extortion relating to damage to a protected computer
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, expressed apprehensions about catching Khoroshev. He told Spiceworks, “Mr. Khoroshev is untouchable from Western law enforcement. He enjoys a protection racket with FSB and GRU. He is seen as a national asset and leader of a cyber militia. Ransomware payments must be banned and likened to sanctions evasion.”
Of the previous arrests, Vasiliev is serving a four-year prison sentence, while Astamirov is yet to be tried. If apprehended and found guilty in a trial, Khoroshev’s charges can earn him a maximum of 185 years as a prison sentence as well as a maximum fine of $250,000 for each of the 26 counts.
“The previous takedowns in their sphere, and now these developments – their leader’s identity and their affiliate activity being revealed – may have backed LockBit into a corner,” Malachi Walker, Security Advisor at DomainTools, told Spiceworks News & Insights.
“This group has been known to quickly adapt and pivot to new strategies to leverage the disruption and change in the ransomware space to their advantage, but paradoxically this has also put them and their affiliates in a difficult position: the longer history a threat actor has, the more likely their OPSEC (operational security) has failed or will fail at some point.”
“Staying all the way in the shadows of the Internet is challenging, time-consuming, and often works against the scale and speed that bad actors depend on to profit from their activity. LockBit may have succeeded in making significant money from their longstanding activity but it has done so at the cost of leaving contextual information behind that is now being leveraged to take them and their affiliates down.”
Indeed, law enforcement knows Lockbit had 194 affiliates as of February 2024, of which 148 built attacks and 119 engaged in negotiations with victims. Since February, the number of Lockbit affiliates has declined to 69, per NCA.
The NCA also revealed that law enforcement has 2,500 decryption keys instead of the 1,000 they disclosed in February, in addition to stolen victim data, cryptocurrency addresses, and other information.
It is too soon to say if Lockbit will make a comeback, but Operation Cronos has been financially and operationally taxing, significantly slowing down the gang’s activities. It has also damaged their recruitment, as affiliates are discouraged from joining forces with a seemingly sinking ship.
Will law enforcement continue to suppress Lockbit ransomware activities? Share your thoughts with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock