Cops finally unmask ‘LockBit kingpin’ after two-month tease – Source: go.theregister.com

Updated Police have finally named who they firmly believe is the kingpin of the LockBit ransomware ring: Dmitry Yuryevich Khoroshev.

Khoroshev’s unmasking and addition to Western sanctions lists represents a landmark revelation in the cops’ efforts to disrupt and dismantle the LockBit operation, the bulk of which action was carried out in February under the code-name Operation Cronos.

Many thought the unveiling of the Russian national’s true identity, which had been kept a closely guarded secret for years, would come that chilly month as the cherry on top of LockBit’s downfall. The authorities chose not to reveal his name at the time, and it isn’t clear why they’ve chosen now to do so.

Back in February, the cops merely teased the fact they knew the identity of Khoroshev, aka LockBitSupp, with a final post on the confiscated LockBit website saying of the gang’s leader:

Today’s naming will provide a tidy bookend to the two-month tease, though given his residence in Voronezh, Russia, the charges and sanctions leveled against Khoroshev, 31, are unlikely to result in justice.

We’re told that the UK, US, and Australia have sanctioned the Russian national, while America has charged him with criminal complaints. Britain’s cops as well as the Feds in the US described Khoroshev as an administrator, creator, and developer of the ransomware, which has hit thousands of targets and raked in more than $100 million in ransoms.

“These sanctions are an important moment in our fight against cyber criminals behind the LockBit ransomware group, which is now on its knees following our disruption earlier this year,” said Graeme Biggar, director general at the UK National Crime Agency (NCA), which led Operation Cronos.

“They have caused untold damage to schools, hospitals, and major companies across the world, who’ve had to pick up the pieces following devastating cyber attacks. 

“Dmitry Khoroshev thought he was beyond reproach, even offering $10 million to anyone who could reveal his identity, but these actions dispel that myth. Our investigation into LockBit and its affiliates continues and, working with our international partners, we’ll do everything we can to undermine their operations and protect the public.”

In an interview with malware librarians VX-Underground, Khoroshev said whatever law enforcement was planning to reveal was a lie.

The Russian said: “I don’t understand why they’re putting on this little show. They’re clearly upset we continue to work.” 

The United States is meanwhile offering its own $10 million reward to anyone who can provide authorities with information leading to the arrest and/or conviction of Khoroshev, or any other individual who holds a senior leadership position within LockBit.

Under Operation Cronos, British police, the FBI, and other international cops dramatically infiltrated the gang and seized LockBit’s blog where its victims are listed and stolen data is published. 

The NCA then repurposed the site as an exposé hub, sharing various insights gleaned about crew. After pulling the site offline, Operation Cronos revived it over the weekend and today it became an exposé hub once again.

• Fed-run LockBit site back from the dead and vows to really spill the beans on gang
• LockBit ransomware kingpin gets 4 years behind bars
• The federal bureau of trolling hits LockBit, but the joke’s on us
• LockBit’s contested claim of fresh ransom payment suggests it’s been well hobbled

Offering an update on its investigation, the Operation Cronos team said they looked deep into LockBit’s 194 affiliates and concluded that 114 appear to have never earned a penny from their time spent attacking organizations.

A total of 119 affiliates engaged in negotiations with victims, but at least 39 of these appear to have never received a ransom payment. An additional 75 affiliates appear to have never engaged in any negotiations, meaning they would never have received a payment.

Some 114 affiliates will be probed by law enforcement for criminal activity despite never seeing any success in their endeavors, all after spending thousands to join the criminal gang. Various identities were uncovered and a small number of arrests were made in February. The Western plod were unable to snare more given that most of LockBit’s members reside in Russia.

Some mystery has shrouded LockBit’s operation since the initial takedown attempt. Its suspected leader, Khoroshev, who was expected to be unmasked in February, remained anonymous, created another blog, and continued to claim responsibility for ransomware infections. The Feds’ efforts to take the gang down appeared to be largely fruitless.

Post-bust, LockBit claimed to have hit more victims, though these merely appeared to be organizations the crew extorted in years past. The NCA also believes some of the attacks claimed by LockBit after the February disruption were actually carried out by rival ransomware gangs.

Despite Khoroshev’s attempts to rebuild the operation, LockBit remains significantly upended. Per the NCA, LockBit is “running at limited capacity” and its global threat has been “significantly reduced.”

More than 7,000 attacks were launched using LockBit’s tools between June 2022 and February 2024, said the crime-busting agency having pored over files collected from its takedown of the gang’s IT.

The extortionists targeted more than 100 hospitals and healthcare companies, and at least 2,110 victims total began negotiations with the criminals.

The NCA said: “Data shows that the average number of monthly LockBit attacks has reduced by 73 percent in the UK since February’s action, with other countries also reporting reductions. Attacks appear to have been carried out by less sophisticated affiliates with lower levels of impact.”

Of the 194 affiliates registered with LockBit as of February, the number has fallen to 69, suggesting many have lost confidence in the gang and shifted their allegiances elsewhere.

UK security minister Tom Tugendhat said: “Cybercriminals think they are untouchable, hiding behind anonymous accounts as they try to extort money from their victims.

“By exposing one of the leaders of LockBit, we are sending a clear message to these callous criminals. You cannot hide. You will face justice.” ®

Editor’s note: This story was updated with more information from the Dept of Justice and NCA. You can watch US prosecutors lay out their case in the video below.

Youtube Video