LockbitSupp, the pseudonymous leader of the LockBit ransomware group, was identified as a Russian national called Dmitry Khoroshev on 7 May as the United States, United Kingdom and Australia imposed financial sanctions against him.
A 26-count indictment has been unsealed in the US charging Khoroshev, with developing and operating the LockBit ransomware service. He is accused of growing LockBit “into a massive criminal organization that has, at times, ranked as the most prolific and destructive ransomware group in the world.”[1]
The reveal of Khoroshev’s identity had been teased on the ransomware group’s own darknet extortion site, which was seized by the United Kingdom’s National Crime Agency (NCA) earlier this year. The site now hosts a wanted poster offering a reward of up to $10 million for information leading to his arrest and/or conviction. According to the NCA, Khoroshev had “thrived on anonymity” and had himself “offered a $10 million reward to anyone who could reveal his identity.” In an interview with the Click Here podcast[2], he had claimed investigators had overstated how much they knew about him.
While the LockBit site had previously been used to publish stolen information from the ransomware gang’s victims, under the control of the NCA it is instead showing off how much information investigators have obtained from the service’s backend.
On 7 May, police uploaded a wanted poster featuring two pictures of Khoroshev to the site, alongside posts detailing insights their investigation has produced so far. An FBI's deputy assistant director for cyber operations, said “no Russian hacker should feel secure that they haven't been identified by the US government.” LockBit “represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals,” said FBI Director Christopher Wray in a written statement. “The charges announced today reflect the FBI’s unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable,” Wray added.
Untold damage - LockBit had been the most impactful and prolific ransomware-as-a-service (RaaS) organization in operation over the past four years. It monetized cyberattacks disrupting thousands of businesses worldwide, including Boeing and Royal Mail.
The ransomware service “caused untold damage to schools, hospitals and major companies across the world, who’ve had to pick up the pieces following devastating cyber-attacks,” said the NCA's director general Graeme Biggar.
LockBit-linked cyberattacks had repeatedly sought to profit by risking lives, including by forcing two major hospitals in upstate New York to divert ambulances, and, just days before Christmas, attacking Toronto’s Hospital for Sick Children, causing diagnostic and treatment delays for its patients, as well as extraordinary distress for the families affected, because clinical teams were struggling to receive lab reports and imaging results.
Similar to software-as-a-service companies, RaaS gangs provide a platform to customers. The customers were hackers (known as “affiliates” within the ransomware ecosystem) who after breaching a victim, then paid to access a LockBit control panel from which they use the service to encrypt devices on the target network and/or steal data and threaten to publish it on the platform’s darknet site unless an extortion fee was paid.
LockBit claimed that the affiliate responsible for targeting the children’s hospital back in 2022 had been blocked. But according to the NCA, this was a lie and the affiliate received multiple ransom payments after this attack and “remained an active LockBit actor until our operation in February.”
LockBit consistently published the data of more victims who refused to pay a ransom to its darknet extortion site than any other outfit, over 2,000 according to the latest count, more than its closest three competitors (Conti, AlphV, Clop) combined.
Khoroshev is accused of creating an effective RaaS enterprise, functioning more as a chief executive than a support account or an administrator as his moniker implied. According to the chief security analyst at Analyst1 who told the Click Here podcast about infiltrating the LockBit group, Khoroshev upended the ransomware ecosystem by putting affiliates in charge of the extortion negotiations, with an automated system in place that saw LockBit collect roughly 20% of the extortion fee as a commission. The indictment alleges “Khoroshev alone allegedly received at least $100 million in disbursements of digital currency through his developer shares of LockBit ransom payments.”
A cold wind for criminals - The Russian national is the sixth LockBit member to be charged with participating in the LockBit conspiracy. Earlier this year in February, Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, were accused of deploying the ransomware against numerous victims. Another suspect, Ruslan Magomedovich Astamirov, also a Russian national, is currently in custody awaiting trial over his alleged participation with the cyber extortion service following a criminal complaint filed in June of last year.
A month earlier, two indictments were unsealed against Mikhail Matveev, also known as “Wazawaka,” with using LockBit to attack a large number of victims in the United States.
Back in November 2022, a dual Russian-Canadian national called Mikhail Vasiliev was also accused of being a LockBit affiliate. Vasiliev is currently in custody in Canada awaiting extradition to the United States. The FBI said, “If you look at the indictments, the sanctions against Russian actors, all of these have effect because those actors now know that if they want a better life outside of Russia, if they want to travel and do business, if they want to travel and vacation elsewhere, if they are under indictment or sanctions in the United States, they can no longer do that. And that should serve as a deterrent. That should serve as kind of a cold wind in Europe.”
Despite the latest action, there remain affiliates who have historically been involved with LockBit. "We still have to hold them accountable for targeting US-based companies," the FBI said. "There's still money out there that has been extorted from victims that are in the hands of criminals. We want to understand where that money is and, if there's any opportunity to, get that money back."
Philip Sellinger, the US Attorney for the District of New Jersey, said, “Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe. “He thought he could do so hidden by his notorious moniker ‘LockbitSupp,’ anonymous and free of any consequence, while he personally pocketed $100 million extorted from Lockbit’s victims. Through relentless investigation and coordination with our partners at the Criminal Division’s Computer Crime and Intellectual Property Section, the FBI and abroad, we have proven him and his coconspirators wrong.”
In an “Away” status message on the messaging service Tox, LockbitSupp has denied being Dmitry Khoroshev. “The FBI is bluffing, I’m not Dmitry, I feel sorry for the real Dmitry))) oh, and he’ll get fucked for my sins))),” the account stated.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://therecord.media/lockbitsupp-suspect-accused-lockbit-ransomware-gang/
[2] https://therecord.media/after-lockbit-takedown-its-purported-leader-vows-to-hack-on
Comments