The UK’s National Crime Agency (NCA) said Tuesday it has identified Russian national Dmitry Khoroshev as the "administrator and developer" of the LockBit ransomware group – which between June 2022 and February 2024 saw 194 affiliates use its malware in over 2,500 attacks globally.
These earned it over $500 million in ransoms, US officials said, posting an indictment against Khoroshev today and describing LockBit as a "massive criminal organization" – its many victims included Boeing and without explicitly naming the company, the indictment notes that one victim, a "multinational aeronautical and defense corporation headquartered in Virginia – received a ransom demand of approximately $200 million."
See also: Boeing shares ransomware incident TTPs as Citrix Bleed attacks ramp up
The NCA in February announced that it had infiltrated the prolific ransomware group’s infrastructure and subsequently took over its leaks page. The agency said today: “LockBit have [since] created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains.”
It claimed today that UK Lockbit attacks have fallen 73% since and that of the 194 affiliates identified as using LockBit’s services up until February 2024:
- 148 built attacks.
- 119 engaged in negotiations with victims
- Of these 39 "appear not to have ever received a ransom payment"
- 75 did not engage in any negotiation, so also appear not to have received any ransom payments.
"This means up to 114 affiliates paid thousands to join the LockBit programme and caused unknown levels of damage, meaning they will targeted by law enforcement, but never made any money from their criminality."
The ransomware as a service group is credited with some of the most high profile ransomware attacks in recent years, including a breach that brought the UK’s Royal Mail to a virtual standstill last year and an attack on the US branch of the world's largest bank, China's ICBC.
LockBit affiliates earlier suggested that they had fallen victim to exploitation by law enforcement of an unpatched PHP vulnerability, CVE-2023-3824. The Stack, needless to say, could not confirm this claim.
See also: 1 Citrix bug alone triggered 13 “nationally significant” UK cybersecurity incidents
The UK’s Foreign Office, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs have unsealed indictments against Khoroshev and are offering a reward of up to $10m for information leading to his arrest or conviction.
The actions targeting Khoroshev form part of an “extensive and ongoing investigation” into the LockBit group by the NCA, FBI, and international partners who form the Operation Cronos taskforce which earlier this year took down 34 servers across the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom and seized over 200 Lockbit-linked cryptocurrency accounts.
The UK’s National Crime Agency (NCA) said Tuesday it has identified Russian national Dmitry Khoroshev as the administrator and developer of the LockBit ransomware group – which between June 2022 and February 2024 saw 194 affiliates use its malware in over 7,000 attacks globally.
The NCA in February announced that it had infiltrated the prolific ransomware group’s infrastructure and subsequently took over its leaks page. The agency said: “LockBit have [since] created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains.”
The ransomware as a service group is credited with some of the most high profile ransomware attacks in recent years, including a breach that brought the UK’s Royal Mail to a virtual standstill last year and an attack on the US branch of the world's largest bank, China's ICBC. In social posts LockBit affiliates earlier suggested that they had fallen victim to exploitation by law enforcement of an unpatched PHP vulnerability, CVE-2023-3824. The Stack, needless to say, could not confirm this claim.
The UK’s Foreign Office, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs have unsealed indictments against Khoroshev and are offering a reward of up to $10m for information leading to his arrest or conviction.
The actions targeting Khoroshev form part of an “extensive and ongoing investigation” into the LockBit group by the NCA, FBI, and international partners who form the Operation Cronos taskforce which earlier this year took down 34 servers across the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom and seized over 200 Lockbit-linked cryptocurrency accounts.
NCA Director General Graeme Biggar said in a press release: “These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong.
“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community. The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.
“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues. We are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world.
“Working with our international partners, we will use all the tools at our disposal to target other groups like LockBit, expose their leadership and undermine their operations to protect the public.”
More detail to follow.
