LockBit leader unmasked and sanctioned

A leader of what was once the world’s most harmful cyber crime group has been unmasked and sanctioned by the UK, US and Australia, following a National Crime Agency-led international disruption campaign.

The sanctions against Russian national Dmitry Khoroshev, the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.

Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.

US partners have also unsealed an indictment against him and are offering a reward of up to $10m for information leading to his arrest and/or conviction.

The actions targeting Khoroshev form part of an extensive and ongoing investigation into the LockBit group by the NCA, FBI, and international partners who form the Operation Cronos taskforce.

LockBit provided ransomware-as-a-service (RaaS) to a global network of hackers or ‘affiliates’, supplying them with the tools and infrastructure to carry out attacks.

In February the NCA announced that it had infiltrated the group’s network and taken control of its services, including its leak site on the dark web, which compromised the entire criminal enterprise.

The true impact of LockBit’s criminality was previously unknown, but data obtained from their systems showed that between June 2022 and February 2024, more than 7,000 attacks were built using their services. The top five countries hit were the US, UK, France, Germany and China.

Attacks targeted over 100 hospitals and healthcare companies and at least 2,110 victims were forced into in some degree of negotiation by cyber criminals.

The group has attempted to rebuild over the last two months, however the NCA assesses that as a result of this investigation, they are currently running at limited capacity and the global threat from LockBit has significantly reduced.

LockBit have created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains.

Data shows that the average number of monthly LockBit attacks has reduced by 73% in the UK since February’s action, with other countries also reporting reductions. Attacks appear to have been carried out by less sophisticated affiliates with lower levels of impact.

As well as uncovering the real-world identity of LockBitSupp, the Operation Cronos investigation has given the NCA and partners a deep insight into LockBit’s operations and network. 

Of the 194 affiliates identified as using LockBit’s services up until February 2024:

• 148 built attacks.
• 119 engaged in negotiations with victims, meaning they definitely deployed attacks.
• Of the 119 who began negotiations, there are 39 who appear not to have ever received a ransom payment.
• 75 did not engage in any negotiation, so also appear not to have received any ransom payments.

This means up to 114 affiliates paid thousands to join the LockBit programme and caused unknown levels of damage, meaning they will targeted by law enforcement, but never made any money from their criminality.

Active affiliate numbers have also significantly reduced, to 69, since February.

The NCA uncovered numerous examples of attacks where the decryptor provided by LockBit to victims who had paid ransoms failed to work, and where they received no support from affiliates or LockBit, further highlighting their untrustworthiness.

In one affiliate attack against a children’s hospital in December 2022, LockBitSupp issued an apologetic statement on their leak site and confirmed it had provided the decryptor to the victim for free.

It said the attacker had “violated our rules”, had been blocked and was no longer in their affiliate programme. In fact, they remained an active LockBit affiliate up until the February 2024 disruption, with NCA analysis showing they went on to build 127 unique attacks, engage in 50 negotiations with victims and received multiple ransom payments.

Finally, as was established by investigators, LockBit did not routinely delete stolen data once a ransom was paid.

NCA Director General Graeme Biggar said: “These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong.

“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community. The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.

“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues. We are also now now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world.

“Working with our international partners, we will use all the tools at our disposal to target other groups like LockBit, expose their leadership and undermine their operations to protect the public.”

Sanctions Minister, Anne-Marie Trevelyan said: “Together with our allies we will continue to crack down on hostile cyber activity which is destroying livelihoods and businesses across the world. 

“In sanctioning one of the leaders of LockBit we are taking direct action against those who continue to threaten global security, while simultaneously exposing the malicious cyber-criminal activity emanating from Russia.” 

Security Minister Tom Tugendhat said: “Cyber criminals think they are untouchable, hiding behind anonymous accounts as they try to extort money from their victims.

“By exposing one of the leaders of LockBit, we are sending a clear message to these callous criminals. You cannot hide. You will face justice.”

The NCA and international partners are now in possession of over 2,500 decryption keys and are continuing to contact LockBit victims to offer support. The Agency has so far proactively reached out to nearly 240 LockBit victims in the UK.

Public reporting is absolutely vital in supporting global law enforcement to tackle ransomware effectively. If you are in the UK, you should use the Government’s Cyber Incident Signposting Site as soon as possible, for direction on which agencies to report your incident to.

The Operation Cronos taskforce includes the NCA, the South West Regional Organised Crime Unit (SWROCU), and Metropolitan Police Service in the UK; FBI and the Department of Justice in the US; Europol, Eurojust, and law enforcement partners in France (Gendarmerie), Germany (LKA and BKA), Switzerland (Fedpol and Zurich Cantonal Police), Japan (National Police Agency), Australia (Australian Federal Police), Sweden (Swedish Police Authority), Canada (RCMP), and the Netherlands (National Police - Politie).

This operation was also supported by the National Bureau of Investigation in Finland.