Dmitry Khoroshev, a key figure in the notorious LockBit ransomware group, has been unmasked and sanctioned by international forces led by the National Crime Agency (NCA).
This significant development follows a concerted global effort involving the UK, US, and Australia, marking a critical step in dismantling what was once described as the world’s most harmful cybercrime organization.
Khoroshev, also known by his alias LockBitSupp, was an integral administrator and developer for LockBit. Known for his desire for anonymity, Khoroshev had previously offered a multi-million reward for anyone who could reveal his identity.
As of today, he faces comprehensive sanctions, including asset freezes and travel bans, announced in collaboration by the UK's Foreign, Commonwealth & Development Office, the US Department of the Treasury’s Office of Foreign Assets Control, and the Australian Department of Foreign Affairs.
An indictment has been unsealed by US authorities, who are also offering a reward of up to $10 million for information leading to Khoroshev’s arrest and conviction. These actions are part of an ongoing, extensive investigation by the NCA, FBI, and other international partners within the Operation Cronos taskforce.
LockBit’s operations and impact
LockBit operated a ransomware-as-a-service (RaaS) model, providing affiliates worldwide with the necessary tools and infrastructure to execute cyberattacks. The scale of LockBit’s operations was vast, with over 7,000 attacks documented between June 2022 and February 2024, impacting countries like the US, UK, France, Germany, and China. Notably, over 100 hospitals and healthcare entities were targeted, involving at least 2,110 victims in negotiations with the attackers.
In a strategic move earlier in February, the NCA infiltrated and took control of LockBit’s network and dark web leak site, significantly compromising the group's capabilities. This intervention has led to a reported 73% reduction in the monthly number of LockBit attacks in the UK, with similar declines observed globally.
Through a large-scale law enforcement action named ‘Operation Cronos,’ authorities identified 194 affiliates using LockBit’s services, revealing a complex web of interactions and transactions. Notably, many affiliates never received ransom payments despite their criminal efforts, underscoring the high-risk, low-reward nature of such operations.
Further insights into LockBit’s dubious practices were uncovered, including instances where provided decryptors failed to work, leaving victims stranded even after paying ransoms. A specific case involved an attack on a children’s hospital, where the affiliate responsible was initially reprimanded but continued to operate under LockBit’s aegis, conducting numerous additional attacks.
The unmasking and sanctioning of Dmitry Khoroshev underscore the resolve of international law enforcement to combat global cybercrime. NCA Director General Graeme Biggar emphasized the success of these efforts in significantly degrading LockBit’s operational capabilities and credibility. The continuing investigation aims to dismantle the restructured, albeit less sophisticated, version of LockBit and to bring justice to affected victims.
The NCA and partners now possess over 2,500 decryption keys and are actively reaching out to victims to provide necessary support. Technical solutions and decryption tools for victims of ransomware are available for free on the ‘No More Ransom’ portal.
Proton Mail Discloses User Data Leading to Arrest in Spain
Leave a Reply