The identity of the leader of one of the most notorious ransomware groups in history has finally been revealed.
On Tuesday, a coalition of law enforcement agencies led by Britain’s National Crime Agency announced that Russian citizen Dmitry Yuryevich Khoroshev, 31, is the person behind the moniker LockBitSupp, the administrator and developer of LockBit ransomware. The US Department of Justice also announced the indictment against Khoroshev, accusing him of computer crimes, fraud and extortion.
“Today we are going a step further and charging the person we believe designed and managed this malicious cyber program that targeted over 2,000 victims and stole more than $100 million in ransomware payments,” the Attorney General said Merrick B. Garland quoted in the announcement.
According to the Justice Department, Khoroshev is from Voronezh, a city in Russia about 300 miles south of Moscow.
“Dmitry Khoroshev designed, developed and managed Lockbit, the world’s most widespread ransomware variant and group, allowing him and his partners to wreak havoc and cause billions of dollars in damages to thousands of victims around the world,” U.S. Attorney said Philip R. Sellinger for the District of New Jersey, where Khoroshev was indicted.
The law enforcement coalition disclosed LockBitSupp’s identity in press releases as well as on LockBit’s original dark website, which authorities seized earlier this year. On the website, the US State Department announced a $10 million reward for information that could help authorities arrest and convict Khoroshev.
The U.S. government also announced sanctions against Khoroshev, effectively barring anyone from doing business with him, such as victims who pay a ransom. Sanctioning those behind ransomware makes it harder for them to profit from cyberattacks. Violations of sanctions, including paying a sanctioned hacker, can result in large fines and criminal prosecution.
LockBit has been active since 2020 and according to the US cybersecurity agency CISA, the group’s ransomware variant was “the most widely deployed” in 2022.
On Sunday, the law enforcement coalition restored LockBit’s seized dark website to publish a list of posts designed to tout the latest revelations. In February, authorities announced that they had taken control of LockBit’s website and replaced the hackers’ posts with their own posts that included a press release and other information related to what the coalition called “Operation Cronos.”
Shortly thereafter, LockBit appeared to come back with a new website and a new list of alleged victims, which was updated as of Monday. According to a security researcher Who is following the group?
For weeks, LockBit’s leader, known as LockBitSupp, had loudly and publicly sought to deny the law enforcement operation and show that LockBit was still active and targeting victims. In March, LockBitSupp gave an interview to The Record news channel in which they claimed that Operation Cronos and law enforcement actions had “no business impact.”
“I see this as additional publicity and an opportunity to show everyone the strength of my character. I won’t let myself be intimidated. “What doesn’t kill you makes you stronger,” LockBitSupp told The Record.