The U.S. Department of the Treasury has sanctioned Dmitry Yuryevich Khoroshev, a key leader of the Russia-based LockBit ransomware group, for his role in developing and disseminating LockBit ransomware. This action is part of a collaborative effort involving multiple international partners and follows a series of measures against Russian cybercriminals, underlining a sustained commitment to combating ransomware threats.
Key Insights
- Dmitry Yuryevich Khoroshev, a Russian national and leader of the LockBit ransomware group, has been sanctioned by the U.S. Department of the Treasury.
- The sanctions are a result of a collaborative international effort involving the U.S. Department of Justice, FBI, UK’s National Crime Agency, Australian Federal Police, and other partners.
- An indictment against Khoroshev has been unsealed, and a reward of up to $10 million for information leading to his arrest and/or conviction is being offered.
- LockBit is considered one of the most active ransomware groups globally, known for targeting critical infrastructure sectors and has extracted over $500 million in ransom payments.
- LockBit operates using a Ransomware-as-a-Service model, selling access to its ransomware to other cybercriminals.
- The U.S. has imposed several other sanctions against Russian cybercriminals involved in ransomware activities prior to this.
- Russia is criticized for providing a safe harbor for cybercriminals like those involved with LockBit.
- The recent sanctions aim to disrupt and degrade the ransomware ecosystem and promote positive change in behavior through such legal pressures.
A thirty-one-year-old resident of Voronezh, Russia is believed to be the leader of the notorious ransomware group LockBit. U.S. and European law enforcement revealed the identity of a Russian national following a 26-count indictment order.
Russian national Dmitry Yuryevich Khoroshev, aka LockBitSupp, is the alleged administrator and developer of the LockBit ransomware group. Khoroshev, who operated anonymously, offered a $10 million reward to anyone who could reveal his identity.
Khoroshev’s leadership role in LockBit’s criminal activities led to the hostile infiltration and victimization of over 2,000 organizations. The ransomware group was notorious for targeting critical infrastructure, schools, hospitals, government and non-government organizations.
Khoroshev allegedly performed several administrative roles for the ransomware group and has benefited approximately $100 million from LockBit ransomware attacks.
Law enforcement officials believe that he facilitated the upgrading of LockBit’s infrastructure, recruited new affiliates and developers for the ransomware, and managed the entire organization. He is also responsible for LockBit’s efforts to continue operations after their disruption by the U.S. and its allies earlier this year.
Sanctions against the Russian national were announced by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.
US partners have also released an indictment against Khoroshev and are offering a reward of $10 million for any information leading to his arrest. The US Department of The Treasury has also offered a $5 million reward for any information that leads to the conviction of LockBit administrators.
What We Know About the Lockbits Takedown
The sanctions against Khoroshev are part of an extensive and ongoing multi-national investigation into the LockBit ransomware group. After three years of investigating the group, an international task force known as “Operation Cronos” was able to infiltrate the ransomware group’s network and servers.
Earlier this year, the NCA announced that it had successfully infiltrated LockBit’s network and taken control of its services. The seizure took down the ransomware group’s dark web leak site, which it used to publish the names and compromised data of its victims.
The infiltration compromised the criminal organization. The NCA and its international partners were able to take control of LockBit’s primary administration environment, which allowed affiliates of the group to build and carry out attacks.
Data collected from LockBit’s network indicated that between June 2022 and February 2024, more than 7,000 attacks were built using their services. Law enforcement officials were then able to use data obtained in the seizure to unmask the ransomware group’s admin.
The NCA and international partners are now in possession of over 2,500 decryption keys from the criminal organization. The NCA, FBI, and international law enforcement partners developed decryption capabilities that will now enable thousands of victims to restore systems encrypted using the LockBit ransomware variant.
In response to law enforcement’s take on their leak site, the ransomware group has attempted to rebuild its empire. LockBit has created a new leak site on which they have published the names of victims targeted before the takedown. However, the NCA assesses that the group is currently running at a limited capacity.
The U.S. government has also charged and indicted five members of the ransomware group: Artur Sungatov and Ivan Kondratyev aka Bassterlord, Ruslan Magomedovich Astamirov, Mikhail Matveev aka Wazawaka, and Mikhail Vasiliev.
On May 7, 2024, The US Department of The Treasury announced sanctions against Dmitry Yuryevich Khoroshev for his role in developing and distributing LockBit ransomware. Furthermore, Law enforcement agencies from the UK and Australia have frozen all of Khoroshev’s known assets, banned his travel, and sanctioned him.
Speaking on the sanctions, NCA Director General Graeme Biggar said that the sanctions are significant and “show that there is no hiding place for cybercriminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong.”
Charges Against Him
Khoroshev faces 26 indictments charges:
- One count of conspiracy to commit fraud, extortion, and related activity in connection with computers
- One count of conspiracy to commit wire fraud
- Eight counts of intentional damage to a protected computer
- Eight counts of extortion concerning confidential information from a protected computer
- Eight counts of extortion relating to damage to a protected computer
Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson: “Today’s action reaffirms our commitment to dismantling the ransomware ecosystem and exposing those who seek to conduct these attacks against the United States, our critical infrastructure, and our citizens.”