LockBit Leader Named and Sanctioned
The UK’s National Crime Agency (NCA) has named the leader of the infamous LockBit ransomware group as Russian national Dmitry Yuryevich Khoroshev, also known as LockBitSup. Lockbit is a ransomware-as-a-service group that has been in operation for four years. During that time, the group became the most prolific ransomware operation and targeted thousands of companies worldwide. According to the U.S. Department of Justice, LockBit has claimed more than 2,000 victims worldwide, has obtained more than $500 million in ransom payments, and has caused billions of dollars in losses.
In February 2024, an international law enforcement operation – Operation Cronos – headed by the NCA successfully infiltrated the group’s systems, took control of its infrastructure, and locked the group out of its systems. The NCA took control of the group’s administrative systems, which the group’s affiliates used to conduct ransomware attacks, and the group’s public-facing data leak site where victims are named and stolen data are published. According to the NCA, information was gathered on LockBit’s 194 affiliates, along with valuable intelligence, and the decryptors for around 2,500 victims. The NCA added a series of posts on the leak site before it was taken down after about a week, with the NCA promising to name the leader of the group.
LockBit’s infrastructure was restored a few days after the law enforcement operation was announced and, in an act of defiance, LockBitSupp said restrictions for affiliates had been lifted. Affiliates were still prohibited from attacking targets in the Commonwealth of Independent States (CIS), but previously “banned” targets such as hospitals could now be attacked. The group’s leader was so sure of his efforts to guarantee his anonymity that he offered a $10 million reward for anyone who could reveal his identity.
In a recent news release, the NCA said it had trawled through the data obtained during Operation Cronos and can now reveal that the group conducted more than 7,000 attacks between June 2022 and February 2024, mostly in the US, UK, France, Germany, and China, and more than 100 hospitals and health systems had been attacked. At least 2,110 victims were forced into some degree of negotiation.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The NCA said that while LockBit’s infrastructure has been rebuilt, the group is operating at limited capacity and is conducting 73% fewer attacks than before the takedown. The group’s new data leak site lists many victims, but the numbers have been inflated and include victims of ransomware attacks using other ransomware variants. At the time of the takedown, the NCA said it had obtained usernames for 194 affiliates and that number has now fallen to just 69, with the affiliates remaining with the group conducting less sophisticated attacks with a lower level of impact, which indicates many of the group’s more capable affiliates have jumped ship.
The NCA also said 114 of the group’s affiliates paid thousands to join the LockBit program, caused considerable damage from their attacks, and will be targeted by law enforcement for their role in those attacks, yet they never received any payments from LockBit. The NCA also revealed that the decryptors provided by LockBit often didn’t work, victims received little to no support, and while many victims paid the ransom to have their data deleted, LockBit did not routinely delete stolen data when the ransom was paid.
US authorities have now unsealed an indictment against Khoroshev and have offered up to $10 million as a reward for anyone who can provide information that leads to his arrest and/or conviction, and the UK’s Foreign, Commonwealth and Development Office (FCDO), the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the Australian Department of Foreign Affairs have sanctioned Khoroshev. Khoroshev is believed to live in Russia, a country that has never extradited cybercriminals, so he is likely to remain beyond the reach of US and UK law enforcement.
“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues. We are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world,” said NCA Director General Graeme Biggar.
Image source: National Crime Agency.
