In a coordinated effort, the FBI, UK National Crime Agency, and Europol have revealed comprehensive indictments and sanctions against the administrator of the notorious LockBit ransomware operation. For the first time, the identity of the Russian threat actor, known as ‘LockBitSupp’, has been disclosed as Dmitry Yuryevich Khoroshev, a 31-year-old Russian national from Voronezh, who allegedly amassed $100 million through the gang’s illicit activities.
The UK Foreign, Commonwealth and Development Office, in collaboration with the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs and Trade, has imposed a series of asset freezes and travel bans on Khoroshev. These sanctions are expected to cause significant disruptions to the ransomware operation, as paying a ransom could potentially violate sanctions and result in government fines for companies.
The US government is offering a $10 million reward for information leading to the arrest and/or conviction of LockBitSupp through the Rewards for Justice program. Additionally, law enforcement agencies have announced that their successful hacking and seizure of LockBit infrastructure has yielded more decryption keys than initially reported.
LockBit, which launched in September 2019 under the name ‘ABCD’ before rebranding, operates as a ransomware-as-a-service (RaaS) model. The cybercrime operation develops and maintains the encryptor, Tor negotiation, and data leak sites while recruiting affiliates to hack corporate networks, steal data, and encrypt devices. LockBit operators earn approximately 20% of any ransom payments, with the affiliates keeping the remainder.
Despite originally claiming to operate from China, it comes as no surprise that LockBitSupp is a Russian national. LockBit quickly became the largest and most active ransomware operation, with a steady stream of new victims and 194 affiliates until February 2024.
However, in February, the ransomware gang faced a major setback due to ‘Operation Cronos’, a law enforcement action that took down LockBit’s infrastructure, including 34 servers hosting the data leak website, its mirrors, and the affiliate panel. This action allowed law enforcement to recover stolen victim data, cryptocurrency addresses, decryption keys, and other valuable information about the gang.
The UK’s National Crime Agency reports that LockBit was responsible for extorting $1 billion from thousands of companies worldwide, with the US Department of Justice stating that Khoroshev and his affiliates extorted over $500 million in ransom payments. Between June 2022 and February 2024, the ransomware operation conducted over 7,000 attacks, primarily targeting the US, UK, France, Germany, and China.
Although LockBit continues to operate, targeting new victims and recently releasing a substantial amount of old and new data, the NCA reports that Operation Cronos has led to a significant exodus of affiliates, reducing the number of active members from 194 to 69 as threat actors lost trust in the leadership.
While LockBitSupp may attempt to retaliate against US and UK authorities by leaking more sensitive data stolen from victims, this is likely the ransomware’s final days. Since the emergence of modern ransomware in 2012, there has been a constant rotation of threat actors operating under different names. Although these law enforcement actions may lead to the shutdown of the LockBit ransomware operation, the same threat actors will likely continue their activities under a new name in the future.