LockBitSupp Identity Revealed

The UK, US, and Australia have revealed the identity of Dmitry Khoroshev, a Russian national and the leader of the once-notorious LockBit ransomware group, following an international disruption campaign led by the National Crime Agency (NCA).

Dmitry Khoroshev, also known as LockBitSupp, who previously operated in secrecy and offered a $10 million reward to uncover his identity, is now facing sanctions announced by the FCDO in coordination with the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.

These sanctions include asset freezes and travel bans. Additionally, the US has unsealed an indictment against Khoroshev and is offering a reward of up to $10 million for information leading to his arrest or conviction.

These actions are part of an extensive investigation into the LockBit group conducted by the NCA, FBI, and other international partners forming the Operation Cronos taskforce.

LockBitSupp – Profile

Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев), also known as LockBitSupp, LockBit, and putinkrab, 31, of Voronezh, Russia, is charged by a 26-count indictment returned by a grand jury in the District of New Jersey.

“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” said U.S. Khoroshev is accused of serving as the developer and administrator of the LockBit ransomware group from its inception around September 2019 until May 2024. Together with his accomplices, Khoroshev expanded LockBit into one of the most active and destructive ransomware variants globally.

The group targeted over 2,500 victims across 120 countries, including 1,800 victims in the United States. LockBit’s victims ranged from individuals and small businesses to multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government agencies. Khoroshev and his co-conspirators allegedly extorted at least $500 million in ransom payments and caused billions of dollars in broader financial losses, including lost revenue, incident response costs, and recovery expenses.

Khoroshev purportedly designed LockBit to function under the “ransomware-as-a-service” (RaaS) model. As the developer and administrator, he oversaw the creation of the LockBit ransomware code, recruited affiliates to deploy it against victims, and maintained the LockBit infrastructure, which included a control panel for affiliates to manage the deployment of LockBit. Khoroshev also managed LockBit’s data leak site, where stolen data from noncompliant victims was publicly disclosed.

According to the indictment, Khoroshev received a 20% share of each ransom payment obtained from LockBit victims, with the remaining 80% going to the affiliate responsible for the attack. Throughout the scheme, Khoroshev allegedly received at least $100 million in digital currency disbursements from his share of LockBit ransom payments.

LockBit Group – What’s Next?

Over the past two months, the group has made efforts to regroup; however, according to the NCA’s assessment, their operations are currently running at limited capacity due to this investigation, resulting in a substantial decrease in the global threat posed by LockBit.

LockBit has launched a new leak site where they have exaggerated their activity by listing victims targeted before the NCA gained control of their services in February, and have also claimed responsibility for attacks carried out using other ransomware strains.

Data indicates that the average monthly number of LockBit attacks in the UK has decreased by 73% since the actions taken in February, with similar reductions reported in other countries. These attacks appear to be conducted by less sophisticated affiliates resulting in lower impact.

Insights into Lockbit’s Operations

In addition to uncovering the true identity of LockBitSupp, the Operation Cronos investigation has provided the NCA and its partners with detailed insights into LockBit’s operations and network. The National Crime Agency also disclosed that the number of LockBit affiliates was 194 until February 2024 before Operation Cronos. Since then, the assessment indicates a significant reduction in active affiliates to 69.

The Race is On

As discussed in our previous blog post on LockBit’s recent attacks, law enforcement’s efforts to dismantle the group are intensifying and drawing closer to shutting down the entire LockBit operation. While it may take time to uncover all the affiliates and apprehend them, these ongoing efforts represent a significant stride in demonstrating to threat actors worldwide that governments and agencies possess the capability to apprehend cybercriminals.

However, until the day arrives when the LockBit operation is ultimately dismantled, the remaining 69 active affiliates will persist in targeting various entities globally, without regard for industry sectors or specific victims. LockBit demonstrated just two days ago that the operation is resilient and will persist until the entire group is brought down.