LockBit gang leader exposed in FBI ransomware breakthrough


The leadership identity of the LockBit ransomware group has been officially unveiled by international law enforcement, capping off a months-long manhunt to take down the notorious cybercriminal cartel. But will the reveal actually lead to an arrest? Cybernews has the latest.

As promised by the FBI, the leader's name and picture were released on Tuesday as part of a joint operation between the US Department of Justice (DoJ), the UK’s National Crime Agency (NCA), and Europol.

The DoJ unsealed an indictment charging Russian national Dmitry Yuryevich Khoroshev as the creator, administrator, and developer of the LockBit ransomware group.

ADVERTISEMENT

As part of the indictment, the US Department of State, through the Transnational Organized Crime Rewards Program (TOCRP) announced it is offering a reward of up to $10,000,000 for information leading to the arrest and/or conviction in any country of Khoroshev for participating in, conspiring to participate in, or attempting to participate in LockBit ransomware activities.

LockBitSupp revealed
US Department of Justice

Who is LockBitSupp?

The 26-count indictment against the 31-year old Khoroshev – alias LockBitSupp, LockBit, and putinkrab – was returned by a federal grand jury in New Jersey District Court Tuesday morning.

Khoroshev is considered not only the core leader of LockBit, but also the developer of the devastating LockBit ransomware variant, currently in its 3.0 iteration.

As part of performing “a variety of operational and administrative roles for the cybercrime group,” Khoroshev is alleged to have been responsible for upgrading LockBit infrastructure, recruiting new ransomware developers, and managing LockBit affiliates.

He is also singled out as the resurrector of LockBit’s operations after the gang’s servers and pubic facing websites had been seized by authorities earlier this year.

ADVERTISEMENT
LockBit takedown
A screenshot taken on February 19, 2024 shows a takedown notice posted by global intelligence agencies after seizing LockBit's dark web site.

Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев) is said to be from the southwestern city of Voronezh in Russia, with a population of just over a million and about 6 hours south of Moscow.

From LockBit's inception in September 2019 through the present, the DoJ calls the cybercriminal outfit one of the most prolific ransomware groups in the world, targeting over 2,500 victims and stealing more than $100 million in ransomware payments.

Khoroshev and his affiliates are said to have wreaked havoc on critical infrastructure, including schools and hospitals, causing “billions of dollars in damage to thousands of victims around the globe,” according to US Attorney Philip R. Sellinger for the District of New Jersey.

“He thought he could do so hidden by his notorious moniker ‘LockBitSupp,’ anonymous and free of any consequence, while he personally pocketed $100 million extorted from LockBit’s victims….we have proven him and his co-conspirators wrong,” Sellinger said.

But, it also appears that Khoroshev was a "regular guy" who, based on a Yandex breach that exposed some of his personal information and an iCloud email in 2022, lived in a modest apartment, liked to play pool, and was a fan of ordering food from a local wine and cheese eatery translated as 'The Cheese Factory' not to be confused with the US restaurant chain 'The Cheesecake Factory,' as first reported on social media.

According to a post on X by malware repository vx-underground, a few hours after the indictment was announced "LockBit ransomware group has made a statement to the FBI."

"The FBI is bluffing, I’m not Dimon, I feel sorry for the real Dimon," it said along with some other choice words. Vx-underground explained that roughly translated from Russian, the statement implies that law enforcement is after the wrong guy.

If caught and arrested, Khoroshev faces a maximum penalty of 185 years in prison, as well as a maximum fine of $250,000 for each of the 26 counts.

ADVERTISEMENT

Charges against Khoroshev are as follows; one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion in relation to confidential information from a protected computer; and eight counts of extortion in relation to damage to a protected computer.

As of this report, a total of six LockBit members have now been charged for their participation in the LockBit conspiracy – five Russian nationals in the past twelve months, and one a dual Russian-Canadian national from a 2022 indictment – the only LockBit suspect in custody and awaiting extradition to the US from Canada.

The victims of LockBit

LockBit’s neverending list of victims can be found spread across at least 120 countries and includes individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.

Out of the 2500 victims known, at least 1,800 of them were located in the United States.

According to the DoJ, Khoroshev and his co-conspirators “extracted at least $500 million in ransom payments from their victims.”

But that amount is only the tip of the financial iceberg, as ransomware attacks are known to cause billions of dollars more in broader losses, such as lost revenue, incident response, and recovery.

Operation Cronos Europol LockBit stats

Tuesday's court documents additionally laid out how a typical LockBit extortion scheme would unfold for the Khoroshev, LockBit affiliates, and its victims.

ADVERTISEMENT

Often referred to as a ‘ransomware-as-a-service’ (RaaS) business model, the LockBit developer Khoroshev would typically receive a 20% share of each ransom payment extorted from LockBit victims, the DoJ said.

The affiliate, using LockBit’s ransomware variant to carry out the attack, would keep the remaining 80%.

Khoroshev is alleged to have personally received at least $100 million from the 80/20 split in cryptocurrency payments.

Another tidbit discovered by investigators in February was that instead of destroying the data stolen from its victims after a ransom demand was procured – as stipulated in LockBit’s ransomware agreement – Khoroshev had retained copies of the victims’ data even after they had paid.

In February, law enforcement also added two LockBit malware decryption tools (by Japan and Europol) to its NoMoreRansom website for victims to recover encrypted files, as well as a dedicated US government website for victims to report and determine if either tool will work for their situation.

So far, over 3100 victims worldwide have been able to take advantage of the decryption tools, the DoJ said.

The lead-up investigation

The reveal could be considered the second chapter in a massive effort by the trio of intel agencies, who were able to infiltrate and seize LockBit’s dark web domains on February 20th, claiming to have disrupted the gang’s ransomware operations "at every level."

At the time, law enforcement announced it had obtained “a vast amount of data,” to include LockBit source code, disrupted the group’s Stealbit exfiltration tool, seized supporting servers in three different countries and dozens of severs owned by LockBit's affiliates.

As part of Operation Cronos, not only did the FBI plaster LockBit’s home page with a “THIS WEBSITE IS NOW UNDER THE CONTROL OF LAW ENFORCEMENT” but it dedicated itself to reworking the gang’s website, mocking the the Russian-linked group using LockBit’s own its signature branding, and updated for this latest announcement.

ADVERTISEMENT
LockBit seized site May 7
Seized LockBit site showing law enforcement's countdown to LockBit leak site closure. Image by Cybernews.

The FBI had used its control of the LockBit site in February to taunt the gang, hinting about the information it had gained about its leader and to expect a full takedown and arrest to follow.

"We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with law enforcement," read one of the many messages on the former LockBit dark web blog, now under control by authorities.

Authorities even hinted that LockBitSupp was driving a Mercedes and that the leader probably couldn't find spare parts for it.

In today's May 7th announcement, the NCA continues to taunt LockBit, releasing a fresh round of statistics and case studies on the group gathered since February.

“Here are some facts and figures we have gleaned from the data for your interest,” the NCA writes on the now-police-controlled LockBit site. “Lockbitsupp, feel free to get in contact directly if you disagree with any of our findings? You’re welcome to do this in person?” it said.

NCA LockBit facts
NCA LockBit facts case study

But as is the challenge when fighting online criminal syndicates protected by governments who politically support and even fund cybercrime against nation-state enemies, within days after the February takedown, LockBit had resurrected its darknet presence and released a roughly 20-thousand word response to the FBI, written in both English and Russian.

The LockBit regrouping also came with a new dark leak page and a fresh round of victims that has steadily continued to pour in with an attack on Cannes hospital in April and nearly 60 victims posted just yesterday, including German telecommunications giant Deutsche Telekom.

ADVERTISEMENT

“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community, said NCA Director General Graeme Biggar.

“The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact,” he said.

LockBit leader sanctioned

Before today’s announcement, authorities allege that Khoroshev even tried to get the FBI to give away information on his RaaS competitors, aka “enemies,” in exchange for his services – we assume which means his cooperation – a rumor that had been floating around social media for months.

Even now, the last block on LockBit's NCA-controlled main page is an 'unpublished' section showing a roughly two-day deadline implying LockBit's leak blog will be finally shut down by law enforcement. Still, it's not entirely clear if the note refers to the site controlled by authorities or the new site under LockBit control.

NCA LockBit 2 day deadline shutdown

Authorities had also outed the usernames of 194 affiliates on the FBI’s phony LockBit site, said to have been using LockBit's services until February. It's now been updated to just 69 active affiliates, including their surnames.

The NCA breaks down the affiliates designating out of that 194 known; 148 built attacks, 119 deployed those attacks, and engaged in negotiations with victims, with 39 of them appearing to not have ever received a ransom payment. Another 75 affiliates did not engage in any negotiations, also appearing to not have received any ransom payments, the NCA found.

Additionally Tuesday, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) the agency in charge of designating entities a threat to national security announced it was imposing sanctions on the senior LockBit leader for his role in launching cyberattacks. Those sanctions are said to include freezing the assets of Khoroshev and any entity that does business with him, as well as a ban on international travel.

“The US has previously stressed that Russia must take concrete steps to prevent cybercriminals from freely operating in its jurisdiction,” the Treasury Department said.

“Today’s actions reflect the commitment of the United States to a long-term, coordinated, and sustained approach to disrupt and degrade the ransomware ecosystem,” it said.

The news of Khoroshev's indictment has also been circulating among Russian news media.