The identity of the leader of one of the most notorious ransomware groups in history has finally been revealed.
On Tuesday, a coalition of law enforcement led by the UK’s National Crime Agency was announced this Russian national, Dmitry Yuryevich Khoroshev, 31, is the person behind the alias LockBitSupp, the administrator and developer of the LockBit ransomware. The US Department of Justice too announced the indictment of Khoroshev, accusing him of computer crimes, fraud and extortion.
“Today we are going one step further by charging the individual we allege developed and operated this malicious cyber program, which has targeted over 2,000 victims and stolen more than $100 million in ransomware payments,” the Attorney General was quoted as saying Merrick B. Garland. in the announcement.
According to the DOJ, Khoroshev is originally from Voronezh, a city in Russia about 300 miles south of Moscow.
“Dmitry Horoshev conceived, developed and managed Lockbit, the world’s most prolific ransomware variant and group, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the world,” said U.S. Attorney Philip. R. Sellinger for the District of New Jersey, where Khoroshev was charged.
The law enforcement coalition announced LockBitSupp’s identity in press releases, as well as on LockBit’s original dark web site, which was seized by authorities earlier this year. On the website, the US State Department announced a $10 million reward for information that could help authorities capture and convict Khoroshev.
The US government too announced sanctions against Khoroshev, which effectively prohibits anyone from doing business with him, such as victims paying ransom. Sanctioning the people behind ransomware makes it harder for them to profit from cyber attacks. Violating sanctions, including paying a sanctioned hacker, can result in heavy fines and prosecution.
LockBit has been active since 2020 and, according to the US cyber security agency CISAthe group’s ransomware variant was “the most developed” in 2022.
Europol, which took part in the law enforcement operation, said in a statement that authorities now have more than 2,500 decryption keys that can help victims unlock data previously encrypted by the gang.
The NCA published an infographic on the seized LockBit website, which included statistics on LockBit’s activities. According to the evidence, the group targeted more than 100 hospitals, healthcare companies and facilities, including a children’s hospital. In this case, LockBit said the attack was a mistake and will block the “partner” responsible for the attack and provide the decryption keys to unlock the files. However, according to the NCA, “this was a lie” as the partner remained active and the decryption keys “were not working properly”.
The NCA, for its part, invited Khoroshev to get in touch if he disputed their findings. “Are you welcome to do it in person?” said the NCA.
On Sunday, the law enforcement coalition restored LockBit’s seized dark web site to publish a list of posts intended to tease the latest revelations. In February, authorities announced they had taken control of LockBit’s website and had replaced the hackers’ posts with their own, which included a press release and other information about what the coalition called “Operation Cronos.”
Shortly thereafter, LockBit appeared to be back with a new website and a new list of alleged victims, which was updated as of Monday. according to a security researcher who monitors the team.
For weeks, LockBit’s leader, known as LockBitSupp, has been vocal and public in an effort to dismiss the law enforcement operation and show that LockBit is still active and targeting victims. In March, LockBitSupp gave an interview to The Record news agency in which they claimed that Operation Cronos and the actions of law enforcement do not “affect business in any way”.
“I take it as additional advertising and an opportunity to show everyone the strength of my character. I can’t be scared. What doesn’t kill you makes you stronger,” LockBitSupp told The Record.
