On Tuesday, US and UK authorities revealed that the mastermind behind LockBit, one of the most prolific and damaging ransomware groups in history, is a 31-year-old Russian named Dmitry Yuryevich Khoroshev, also known as ‘LockbitSupp’.
As is customary with such announcements, law enforcement authorities released photos of Khoroshev, as well as details of his group’s operation. The US Department of Justice charged Khoroshev with many computer crimes, fraud and extortion. And along the way, the feds also revealed some details about LockBit’s past operations.
Earlier this year, authorities seized LockBit’s infrastructure and the gang’s data banks, revealing key details about how LockBit operated.
Today, we have more details on what the feds called “a massive criminal organization that has at times ranked as the world’s most prolific and destructive ransomware group.”
Here’s what we learned from the Khoroshev indictment.
Khoroshev had a second nickname: putinkrab
The leader of LockBit was publicly known by the not-so-imaginative nickname LockBitSupp. But Khoroshev also had another online identity: putinkrab. The indictment does not include any information about the electronic handle, although it appears to refer to Russian President Vladimir Putin. On the internet, however, many profiles using the same nickname Flickr, YouTubeand Redditalthough it is unclear whether these accounts were managed by Khoroshev.
LockBit also hit victims in Russia
In the world of Russian cybercrime, experts say, there is a sacred, unwritten rule: hack anyone outside of Russia, and local authorities will leave you alone. Surprisingly, according to federal authorities, Khoroshev and his co-conspirators “also deployed LockBit against multiple Russian victims.”
It remains to be seen if this means the Russian authorities will go after Khoroshev, but at least now they know who he is.
Khoroshev kept a close eye on his associates
Ransomware operations like LockBit are known as ransomware-as-a-service. This means that there are developers who create the software and infrastructure, like Khoroshev, and then there are affiliates who operate and develop the software, infect victims, and extort ransoms. The affiliates paid Khoroshev about 20% of their procedures, the federations claimed.
According to the indictment, this business model allowed Khoroshev to “closely” monitor his affiliates, including accessing and sometimes participating in victims’ negotiations. Khoroshev “even requested identification documents from his Coconspirators affiliate, which he also maintained in his infrastructure.” This is probably how law enforcement was able to identify some of Lockbit’s affiliates.
Khoroshev also developed a tool called “StealBit” that complemented the main ransomware. This tool allowed collaborators to store data stolen from victims on Khoroshev’s servers and sometimes publish it on LockBit’s official dark web leak site.
LockBit’s ransomware payouts totaled around $500 million
LockBit launched in 2020, and since then its affiliates have successfully extorted at least $500 million from around 2,500 victims, which ranged from “large multinational corporations to small businesses and individuals, and included hospitals, schools, non-profit organizations, life-saving infrastructure facilities importance and government and law enforcement agencies.”
In addition to ransom payments, LockBit “caused worldwide damages totaling billions of US dollars” because the gang disrupted victims’ operations and forced many to pay for incident response and recovery services, the feds alleged.
Khoroshev contacted the authorities to track down some of his associates
Perhaps the most shocking of the latest revelations: In February, after a coalition of global law enforcement agencies took down LockBit’s website and infrastructure, Khoroshev was “contacting law enforcement and offering his services in exchange for information about with his identity [ransomware-as-a-service] competitors.”
According to the indictment, Khoroshev asked law enforcement “[g]Give me the names of my enemies.”
