The identity of the leader of one of the most infamous ransomware groups in history has finally been revealed.
On Tuesday, a coalition of law enforcement led by the U.K.’s National Crime Agency announced that Russian national, Dmitry Yuryevich Khoroshev, 31, is the person behind the nickname LockBitSupp, the administrator and developer of the LockBit ransomware. The U.S. Department of Justice also announced the indictment of Khoroshev, accusing him of computer crimes, fraud and extortion.
“Today we are going a step further, charging the individual who we allege developed and administered this malicious cyber scheme, which has targeted over 2,000 victims and stolen more than $100 million in ransomware payments,” Attorney General Merrick B. Garland was quoted as saying in the announcement.
According to the DOJ, Khoroshev is from Voronezh, a city in Russia around 300 miles south of Moscow.
“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey, where Khoroshev was indicted.
The law enforcement coalition announced the identity of LockBitSupp in press releases, as well as on LockBit’s original dark web site, which the authorities seized earlier this year. On the site, the U.S. Department of State announced a reward of $10 million for information that could help the authorities to arrest and convict Khoroshev.
The U.S. government also announced sanctions against Khoroshev, which effectively bars anyone from transacting with him, such as victims paying a ransom. Sanctioning the people behind ransomware makes it more difficult for them to profit from cyberattacks. Violating sanctions, including paying a sanctioned hacker, can result in heavy fines and prosecution.
LockBit has been active since 2020, and, according to the U.S. cybersecurity agency CISA, the group’s ransomware variant was “the most deployed” in 2022.
Europol, which participated in the law enforcement operation, said in a statement that authorities now have over 2,500 decryption keys that can help victims unlock data previously encrypted by the gang.
On Sunday, the law enforcement coalition restored LockBit’s seized dark web site to publish a list of posts that were intended to tease the latest revelations. In February, authorities announced that they took control of LockBit’s site and had replaced the hackers’ posts with their own posts, which included a press release and other information related to what the coalition called “Operation Cronos.”
Shortly after, LockBit appeared to make a return with a new site and a new list of alleged victims, which was being updated as of Monday, according to a security researcher who tracks the group.
For weeks, LockBit’s leader, known as LockBitSupp, had been vocal and public in an attempt to dismiss the law enforcement operation, and to show that LockBit is still active and targeting victims. In March, LockBitSupp gave an interview to news outlet The Record in which they claimed that Operation Cronos and law enforcement’s actions don’t “affect business in any way.”
“I take this as additional advertising and an opportunity to show everyone the strength of my character. I cannot be intimidated. What doesn’t kill you makes you stronger,” LockBitSupp told The Record.
