The UK’s National Crime Agency (NCA) has reported that Russian national Dmitry Yuryevich Khoroshev is the leader of the LockBit ransomware group, also called LockBitSup. Lockbit’s ransomware-as-a-service operation has been around for four years. In that time, the group became a high-profile ransomware operation and attacked thousands of organizations around the world. Based on the U.S. Department of Justice, LockBit has reported having over 2,000 victims globally, has received ransom payments of over $500 million, and has triggered billions of dollars in losses.
In February 2024, Operation Cronos, a global law enforcement operation under the NCA, penetrated the group’s network, controlled its infrastructure, and blocked LockBit from accessing its network. The NCA controlled the group’s admin programs used by the group’s affiliates to carry out ransomware attacks. The group publishes the names of victims and their stolen data on a public data leak website. As per the NCA, the data was obtained from LockBit’s 194 affiliates, intelligence, and decryptors for about 2,500 victims. The NCA included several posts on the leak website before taking it down after one week, with the statement to identify the group leader.
A few days after the law enforcement operation announcement, LockBit restored its infrastructure and, LockBitSupp lifted the restrictions for affiliates as an act of defiance. Before this, affiliates are not allowed to attack targets in the Commonwealth of Independent States (CIS). Now, previously “banned” targets like hospitals could be targeted. The group’s leader was so sure that his identity remained anonymous that he offered to give a $10 million reward to any person who could expose his identity.
The NCA stated recently that it had sifted through the information acquired during Operation Cronos. It found out that the group carried out over 7,000 attacks from June 2022 to February 2024, primarily in the U.S., U.K., Germany, France, and China. It attacked approximately 100 hospitals and health systems in violation of HIPAA. A minimum of 2,110 victims were compelled to negotiate.
The NCA mentioned that although LockBit’s infrastructure is restored, the group’s operation is at a limited capacity. It is running 73% fewer attacks compared to before the takedown. The new data leak site of the group has many listed victims, however, the numbers were increased and include affected individuals of ransomware attacks that employed other ransomware variants. During the takedown, the NCA mentioned it had acquired usernames for 194 affiliates. The current number of affiliates dropped to just 69, which conduct less advanced attacks with less impact, which implies that most of the group’s more competent affiliates have left.
The NCA also reported that 114 affiliates of the group paid thousands to become a member of the LockBit group, created substantial damage during their attacks, and will be hunted by law enforcement for being part of those attacks, but they never got paid by LockBit. The NCA additionally pointed out that the decryptors given by LockBit usually did not work. And even if the victims paid the ransom for the deletion of their data, LockBit did not consistently delete the stolen information.
U.S. authorities have already served a formal charge against Khoroshev. There is a reward of up to $10 million for any person who can give information that brings about his capture and/or indictment. The UK’s Foreign, Commonwealth and Development Office (FCDO), the Australian Department of Foreign Affairs, and the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) have sanctioned Khoroshev. Khoroshev is presumed to stay in Russia, where cybercriminals are never extradited. Hence, it is likely that Khoroshev will remain beyond the reach of U.K. and U.S. authorities.
NCA Director General Graeme Biggar stated that the investigation on the LockBit group continues. Affiliates who have been with the LockBit operation to cause dreadful ransomware attacks on hospitals, schools, and major businesses worldwide are targeted.