The U.S. Department of State in collaboration with the U.S. Department of Justice, the Federal Bureau of Investigation, the United Kingdom’s National Crime Agency, the Australian Federal Police, and other international partners, have taken a significant step against the infamous LockBit ransomware group. On May 7th, 2024 the United States designated Dmitry Yuryevich Khoroshev as the leader of LockBit and offered a reward of up to $10 million for information leading to his arrest or conviction.
What is LockBit?
LockBit emerged in September 2019 under the alias of the ".abcd virus," recognizable by the extension it appended to encrypted files. By 2022, it had become a major problem and governments worldwide called it the "world's most prolific ransomware."
LockBit operates on a Ransomware-as-a-Service (RaaS) model, where the group licenses its ransomware software to affiliated cybercriminals in exchange for payment, including a percentage of the paid ransoms. They act like a shady rental company, but instead of tools, they rent out programs that lock people's computers and demand money to unlock them. These renters, called affiliates, pay LockBit a fee upfront, a regular subscription, or a cut of the ransom they collect. To make things worse, LockBit also steals a lot of data from its victims before locking them out, giving them an extra way to extort money and carry out double extortion.
Since its debut in 2019, Lockbit has allegedly attacked more than 2,000 people, businesses, schools, hospitals, and even government offices. It's estimated that LockBit has made off with $276 million USD from these ransomware attacks.
YoY losses due to LockBit ransomware attacks
While the U.S., along with its allies, has previously taken steps to disrupt LockBit's infrastructure and networks (including imposing sanctions on its affiliates back in February 2024), the ransomware group has been increasingly prolific in its attacks over the last few years.
Who is Dmitry Yuryevich Khoroshev?
Khoroshev, a Russian national, is a key figure within LockBit. He's known by the online moniker "LockBitSupp" and has played a central role in the group's operations. Khoroshev is believed to be involved in the development and distribution of LockBit ransomware.
Khoroshev wasn't just a LockBit leader, he kept things running. He made sure their hacking tools stayed up-to-date, found new people to write the ransomware code, and managed the other criminals who used LockBit's software. He even tried to keep things going after the U.S. and its allies shut down some of their operations earlier this year.
What Does Khoroshev’s Designation Mean?
The U.S. government's designation of Khoroshev has several implications:
- Khoroshev will face significant financial limitations. His ability to access funds and resources crucial for LockBit's operations will be hampered. The Bitcoin Address ‘bc1qvhnfknw852ephxyc5hm4q520zmvf9maphetc9z’ allegedly owned by Khoroshev was added to the SDN list, restricting any further transaction to and from the address.
- The designation can also restrict Khoroshev's ability to operate freely, potentially hindering the LockBit's overall activity.
- This action brings Khoroshev under increased international scrutiny, making it harder for him to move around or conduct business.
The Department of State is offering a hefty reward of up to $10 million USD for information that leads to Khoroshev's arrest or conviction. This significant incentive aims to encourage individuals with knowledge about Khoroshev or LockBit's operations to come forward.
The designation of Khoroshev and the accompanying reward program are a significant blow to LockBit. Khoroshev's financial limitations and the possibility of his arrest could seriously hinder the group's ability to launch ransomware attacks. However, the fight against ransomware is ongoing, and it remains to be seen how LockBit will respond to this latest pressure.