U.S. Charges Russian Man as Boss of LockBit Ransomware Group – Krebs on Security


The United States joined the United Kingdom and Australia right this moment in sanctioning 31-year-old Russian nationwide Dmitry Yuryevich Khoroshev because the alleged chief of the notorious ransomware group LockBit. The U.S. Department of Justice additionally indicted Khoroshev and charged him with utilizing Lockbit to assault greater than 2,000 victims and extort at the least $100 million in ransomware funds.

Image: U.Okay. National Crime Agency.

Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in a 26-count indictment by a grand jury in New Jersey.

“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” U.S. Attorney Philip R. Sellinger stated in a press release launched by the Justice Department.

The indictment alleges Khoroshev acted because the LockBit ransomware group’s developer and administrator from its inception in September 2019 by May 2024, and that he usually obtained a 20 p.c share of every ransom fee extorted from LockBit victims.

The authorities says LockBit victims included people, small companies, multinational firms, hospitals, faculties, nonprofit organizations, important infrastructure, and authorities and law-enforcement businesses.

“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ stated. “The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”

The unmasking of LockBitSupp comes almost three months after U.S. and U.Okay. authorities seized the darknet web sites run by LockBit, retrofitting it with press releases in regards to the legislation enforcement motion and free instruments to assist LockBit victims decrypt contaminated methods.

The feds used the present design on LockBit’s sufferer shaming web site to function press releases and free decryption instruments.

One of the weblog captions that authorities left on the seized web site was a teaser web page that learn, “Who is LockbitSupp?,” which promised to disclose the true id of the ransomware group chief. That merchandise featured a countdown clock till the massive reveal, however when the location’s timer expired no such particulars had been supplied.

Following the FBI’s raid, LockBitSupp took to Russian cybercrime boards to guarantee his companions and associates that the ransomware operation was nonetheless absolutely operational. LockBitSupp additionally raised one other set of darknet web sites that quickly promised to launch information stolen from a lot of LockBit victims ransomed previous to the FBI raid.

One of the victims LockBitSupp continued extorting was Fulton County, Ga. Following the FBI raid, LockbitSupp vowed to launch delicate paperwork stolen from the county court docket system except paid a ransom demand earlier than LockBit’s countdown timer expired. But when Fulton County officers refused to pay and the timer expired, no stolen information had been ever printed. Experts stated it was probably the FBI had in actual fact seized all of LockBit’s stolen information.

LockBitSupp additionally bragged that their actual id would by no means be revealed, and at one level supplied to pay $10 million to anybody who might uncover their actual identify.

KrebsOnSecurity has been in intermittent contact with LockBitSupp for a number of months over the course of reporting on totally different LockBit victims. Reached on the identical ToX on the spot messenger id that the ransomware group chief has promoted on Russian cybercrime boards, LockBitSupp claimed the authorities named the improper man.

“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”

LockBitSupp, who now has a $10 million bounty for his arrest from the U.S. Department of State, has been identified to be versatile with the reality. The Lockbit group routinely practiced “double extortion” in opposition to its victims — requiring one ransom fee for a key to unlock hijacked methods, and a separate fee in trade for a promise to delete information stolen from its victims.

But Justice Department officers say LockBit by no means deleted its sufferer information, no matter whether or not these organizations paid a ransom to maintain the data from being printed on LockBit’s sufferer shaming web site.

Khoroshev is the sixth individual formally indicted as energetic members of LockBit. The authorities says Russian nationwide Artur Sungatov used LockBit ransomware in opposition to victims in manufacturing, logistics, insurance coverage and different firms all through the United States.

Ivan Gennadievich Kondratyev, a.ok.a. “Bassterlord,” allegedly deployed LockBit in opposition to targets within the United States, Singapore, Taiwan, and Lebanon. Kondratyev can also be charged (PDF) with three legal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt information, exfiltrate sufferer data, and extort a ransom fee from a company sufferer based mostly in Alameda County, California.

In May 2023, U.S. authorities unsealed indictments in opposition to two alleged LockBit associates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev. In January 2022, KrebsOnSecurity printed Who is the Network Access Broker ‘Wazawaka,’ which adopted clues from Wazawaka’s many pseudonyms and make contact with particulars on the Russian-language cybercrime boards again to a 31-year-old Mikhail Matveev from Abaza, RU.

Matveev stays at giant, presumably nonetheless in Russia. Meanwhile, the U.S. Department of State has a standing $10 million reward supply for data resulting in Matveev’s arrest.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the grievance in opposition to Vasiliev is at this PDF).

In June 2023, Russian nationwide Ruslan Magomedovich Astamirov was charged in New Jersey for his participation within the LockBit conspiracy, together with the deployment of LockBit in opposition to victims in Florida, Japan, France, and Kenya. Astamirov is at the moment in custody within the United States awaiting trial.

The Justice Department is urging victims focused by LockBit to contact the FBI at https://lockbitvictims.ic3.gov/ to file an official grievance, and to find out whether or not affected methods might be efficiently decrypted.


Please enter your comment!
Please enter your name here