LockBit Ransomware Administrator Revealed as Russian Hacker Dmitry Khoroshev

The mastermind behind the notorious LockBit ransomware operation has been unveiled as Dmitry Yuryevich Khoroshev, a 31-year-old Russian individual. Khoroshev's identity was disclosed by the U.K. National Crime Agency (NCA), with sanctions from multiple international bodies following suit, including the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.

Europol announced the possession of over 2,500 decryption keys to aid LockBit victims, with ongoing efforts to provide support. Khoroshev, known by aliases LockBitSupp and putinkrab, faces asset freezes, travel bans, and a substantial $10 million reward from the U.S. Department of State for information leading to his arrest or conviction.

The U.S. Department of Justice (DoJ) has unsealed an indictment against Khoroshev, listing 26 charges, including conspiracy to commit fraud and extortion, wire fraud, and intentional damage to protected computers. These charges could result in a maximum sentence of 185 years in prison, accompanied by significant monetary penalties.

The LockBit conspiracy, now targeted by law enforcement, has seen six members charged, including Khoroshev and others like Mikhail Vasiliev and Artur Sungatov. The NCA continues its investigation into LockBit affiliates who have conducted ransomware attacks globally, affecting sectors such as education, healthcare, and corporations.

LockBit, once a prolific ransomware-as-a-service (RaaS) entity, was dismantled in February as part of Operation Cronos, having victimized over 2,500 entities worldwide and amassed more than $500 million in ransom payments. The group's business model involved licensing ransomware software to affiliates in exchange for a significant share of the ransom payments, employing double extortion tactics by exfiltrating sensitive data before encryption.

Despite attempts to resurface, LockBit's efforts have faltered, with law enforcement thwarting its activities. The group's new data leak site attempts to fabricate activity by inflating victim numbers and falsely claiming attacks perpetrated using other ransomware strains.

The NCA's investigation reveals insights into LockBit's operations, including the involvement of 194 affiliates, though the number has dwindled to 69. Notably, many victims who negotiated with LockBit did not receive ransom payments, and decryptors provided to victims often failed to work effectively.

Khoroshev's pivotal role as a core leader and developer of LockBit highlights his involvement in operational and administrative aspects of the cybercrime group, benefiting financially from ransomware attacks. He facilitated infrastructure upgrades, recruited developers, managed affiliates, and spearheaded efforts to sustain operations post-disruption by international authorities.