The FBI, UK National Crime Agency, and Europol have unveiled sweeping indictments and sanctions against the admin of the LockBit ransomware operation, with the identity of the Russian threat actor revealed for the first time.
According to a new indictment by the US Department of Justice and a press release by the NCA, the LockBit ransomware operator known as ‘LockBitSupp’ has been confirmed to be a Russian national named Dmitry Yuryevich Khoroshev, who reportedly earned $100 million as part of the gang’s activities.
“The sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs,” announced the National Crime Agency.
“Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.”
Today’s announcements also include sanctions against Khoroshev, including asset freezes and travel bans.
“The administrator and developer of LockBit, a Russian national, is now subject to aseries of asset freezes and travel bans issued by the UK Foreign, Commonwealth and Development Office, alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs and Trade,” reads an announcement from Europol.
These sanctions will cause massive disruptions to the ransomware operation as paying a ransom could potentially break sanctions and impose government fines on companies.
In the past, similar sanctions caused some ransomware negotiators to no longer assist in ransom payments for sanctioned ransomware operations.
The US also offers a $10 million reward for information leading to LockBitSupp’s arrest and/or conviction as part of the Rewards for Justice program.
Law enforcement also announced that its hacking and seizure of LockBit infrastructure allowed them to gain more decryption keys than previously announced.
In February, an international law enforcement operation named Operation Cronos took down LockBit’s infrastructure, including 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel.
Europol now reveals that they obtained 2,500 decryption keys and are continuing to assist LockBit victims in recovering their files for free.
The UK says LockBit was responsible for extorting $1 billion from thousands of companies worldwide, with the DOJ saying that Khoroshev and his affiliates extorted over $500 million in ransom payments.
Between June 2022 and February 2024, law enforcement claims that the ransomware operation conducted over 7,000 attacks, with the top five countries hit being the US, the UK, France, Germany, and China.
Law enforcement continues to analyze the data retrieved during Operation Cronos, revealing that the operation had 194 affiliates up until February 2024:
However, after the disruption, this number dropped to 69, illustrating law enforcement’s massive impact on the ransomware operation and the loss of trust that other threat actors had in its leadership.
This is a developing story.