Russian national Dmitry Khoroshev is “LockBitSupp”, the creator, developer and administator of the infamous LockBit ransomware group, according to UK, US and Australia law enforcement agencies.
The US Justice Deparment has unsealed charges against Khoroshev and the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Australian Department of Foreign Affairs, and the UK Foreign, Commonwealth and Development Office have imposed sanctions on him.
Taking LockBit down
In February 2024, the UK National Crime Agency took over LockBit’s leak site and claimed to have infiltrated the group’s network, obtained the LockBit platform’s source code, as well as intelligence about its affiliates and victims.
The takedown was part of Operation Cronos, which also resulted in the takedowns of servers and freezing of assets linked to the group, and the arrest and/or indictment of several LockBit affiliates in Poland, Ukraine and Russia. The agencies also implied that they know the identity of LockBitSupp and that the individual is cooperating with law enforcement.
A few days later, the LockBit leak site returned online, with a message from LockBitSupp trying to reassure the group’s affiliates.
“The group has attempted to rebuild over the last two months, however the NCA assesses that as a result of this investigation, they are currently running at limited capacity and the global threat from LockBit has significantly reduced,” the National Crime Agency says.
“LockBit have created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains. Data shows that the average number of monthly LockBit attacks has reduced by 73% in the UK since February’s action, with other countries also reporting reductions.”
The agency also says that, since February, the list of active LockBit affiliates has shrunk significantly, and that LockBit “did not routinely delete stolen data once a ransom was paid.”
Who is LockBitSupp?
Now, a couple of months later, law enforcement made good on its promise to reveal LockBitSupp’s alleged identity.
Khoroshev was the LockBit ransomware group’s developer and administrator since its inception (circa September 2019), the US DOJ alleges.
With the help of affiliates, the LockBit ransomware group attacked more than 2,500 victims – individuals, businesses, hospitals, critical infrastructure organizations, government agencies, etc. – in 120+ countries, and “extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery.”
Khoroshev himself allegedly pocketed roughly 20% of the total (i.e., around $100 million).
What’s next?
“Khoroshev is charged with one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion in relation to confidential information from a protected computer; and eight counts of extortion in relation to damage to a protected computer. In total, those charges carry a maximum penalty of 185 years in prison,” the US DOJ says.
“Each of the 26 counts charged by the indictment also carries a maximum fine of the greatest of $250,000, pecuniary gain to the offender, or pecuniary harm to the victim.”
Since Khoroshev is a Russian national and lives in Russia, it’s unlikely that he will be extradited to the US for the trial, but the financial and travel sanctions imposed by the US, UK and Australia should affect his ability to do cybercrime.
He might adopt another online persona and set up a new ransomware group, but his credibility with affiliates has obviously taken a beating. The sanctions also mean that sending a ransom to Khoroshev or his associates is now a criminal offense.
US authorities are also offering a reward of up to $10 million for information leading to his arrest and/or conviction.
Europol says that international law enforcement is in possession of over 2,500 decryption keys and are contacting the gang’s victims to offer support. The NCA says it has reached out to nearly 240 LockBit victims in the UK.