Dmitry Khoroshev named leader of LockBit: US offers $10m reward for information

LockBit administrator identified as 31-year-old Dmitry Khoroshev from Russia

LockBit's administrator Khoroshev sanctioned in U.S., U.K., and Australia

The person responsible for the operation of the LockBit ransomware campaign has been revealed to be 31-year-old Russian national Dmitry Yuryevich Khoroshev. This revelation came through coordinated efforts by law enforcement agencies including the UK's National Crime Agency, the U.S. Department of Justice, and the Australian government.

As a consequence, Khoroshev is now subjected to international sanctions that include asset freezes and travel bans, particularly by the US, UK, and Australia. In the media release, Australia's Minister for Foreign Affairs Hon Penny Wong said:[1]

The new sanction under the cyber sanctions framework makes it a criminal offence to provide assets to Dmitry Yuryevich Khoroshev, or to use or deal with his assets. The framework is intended to disrupt and deter the perpetrators of malicious cyber activity, such as ransomware.

Khoroshev, also known by his online alias LockBitSupp, was determined to have personally benefited from ransomware attacks that accrued over $100 million in Bitcoin payments.

Lockbit underground site was taken down in February

LockBit operates by encrypting the data of its victims and demanding ransom for the decryption keys, primarily in cryptocurrency, making the transactions difficult to trace. The ransomware has targeted large-scale organizations worldwide, including more than 100 hospitals, schools, and major companies, causing extensive financial and operational damage.[2]

In a significant countermove earlier this year in February,[3] international law enforcement agencies seized LockBit’s website, used it to unmask Khoroshev, and continued to operate it to disrupt ongoing ransomware activities. This action followed a pattern where authorities initially replaced hacker communications with official law enforcement messages to undermine the gang's operations. Britain's NCA and U.S. FBI have arrested several members of the gang at the time.

As of the latest efforts, Europol and other agencies have managed to gather over 2,500 decryption keys, offering relief to some victims previously targeted by cybercriminals. According to Europol, the recovery effort is significant:[4]

Europol has been exploiting the vast amount of data gathered during the investigation and the first phase of action to identify these victims, who are located all over the world. Its European Cybercrime Centre (EC3) has disseminated some 3 500 intelligence packages containing information about Lockbit victims to 33 countries.

Attempts to resurface

Up to February 2024, the gang launched over 7,000 attacks using their services, according to recent evidence that highlights the scope and severity of the LockBit ransomware attacks, which predominantly targeted five key countries: the U.S., the U.K., France, Germany, and China.[5] This wide regional distribution draws attention to both the sophisticated network that powers these operations and the enormous disruption that LockBit has created.

Following significant legal and law enforcement actions, LockBit's attempts to rebuild and maintain its operations have been largely unsuccessful. They've attempted to create a semblance of ongoing activity by launching a new leak site and posting outdated and fictitious victim data to exaggerate their operational capacity.

However, these efforts have not restored their previous capabilities, and the overall threat from LockBit has significantly diminished. This downturn is further evidenced by the reduced number of active affiliates, which has dropped from 194 to just 69, and many of these affiliates have failed to successfully negotiate ransoms, indicating a decline in their operational effectiveness.

If caught, Khoroshev could face up to 185 years in jail

After being identified, Dmitry Khoroshev is charged with several offenses, including conspiracy to commit fraud and deliberate damage to protected computers, according to a 26-count U.S. indictment. The charges could result in up to 185 years in jail, emphasizing the serious consequences associated with high-level cybercrimes.

On Tuesday, international law enforcement agencies took a strategic turn by leveraging the gang's own platform to expose Dmitry Khoroshev. They published a wanted poster on the site, announcing a $10 million reward for any information that could directly contribute to Khoroshev's capture.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions