On Tuesday, U.S. and British authorities revealed that the mastermind behind LockBit, one of the most prolific and damaging ransomware groups in history, is a 31-year-old Russian named Dmitry Yuryevich Khoroshev, also known as “LockbitSupp.”
As is typical with such announcements, law enforcement released images of Khoroshev as well as details of his group’s operations. The US Department of Justice has charged Khoroshev with multiple computer crimes, fraud and extortion. The authorities also revealed some details about LockBit’s previous operations.
Earlier this year, authorities seized LockBit’s infrastructure and the gang’s data assets, revealing key details of how LockBit operates.
Today we have more details about what federal authorities described as “a massive criminal organization” that was at times considered the most prolific and destructive ransomware group in the world.
This is what we learned from the indictment against Khoroshev.
Khoroshev had a second nickname: Putinkrab
The leader of LockBit was publicly known by the not very imaginative nickname LockBitSupp. But Khoroshev also had another online identity: Putinkrab. The indictment does not contain any information about the online name, although it appears to refer to Russian President Vladimir Putin. However, there are several online profiles with the same nickname on Flickr, YouTube and Reddit, although it is unclear whether these accounts were run by Khoroshev.
LockBit also hit victims in Russia
According to experts, there is a sacred, unwritten rule in the world of Russian cybercrime: hack anyone outside Russia, and local authorities will leave you alone. Surprisingly, Khoroshev and his co-conspirators “also used LockBit against multiple Russian victims,” according to the government.
It remains to be seen whether this means Russian authorities will take action against Khoroshev, but at least they now know who he is.
Khoroshev kept an eye on his allies
Ransomware operations like LockBit are referred to as ransomware-as-a-service. That is, there are developers who create the software and infrastructure, like Khoroshev, and then there are subsidiaries that operate and deploy the software, infect victims and extort ransoms. Federal authorities alleged that affiliates paid Khoroshev about 20% of her legal costs.
According to the indictment, this business model allowed Khoroshev to “closely monitor” his partners, including access to and partial participation in victim hearings. Khoroshev “even demanded identification documents from his partner Cocospirators, which he also stored on his infrastructure.” This likely allowed law enforcement to identify some of the companies affiliated with Lockbit.
Khoroshev also developed a tool called “StealBit” that complemented the main ransomware. This tool allowed partners to store data stolen from victims on Khoroshev’s servers and sometimes publish it on LockBit’s official dark web leak site.
LockBit ransomware payments totaled around $500 million
LockBit was launched in 2020 and since then its affiliates have successfully extorted at least approximately $500 million from approximately 2,500 victims ranging from “large multinational corporations to small businesses and individuals, including hospitals, schools, non-profit organizations, critical infrastructure facilities, etc. “Government and law enforcement.”
Aside from the ransom payments, LockBit caused “billions of dollars in damages worldwide” as the gang disrupted victims’ operations and forced many to pay for incident response and recovery services, authorities claimed.
Khoroshev contacted authorities to identify some of his associates
Perhaps the most shocking of the recent revelations: In February, after the coalition of global law enforcement agencies shut down LockBit’s website and infrastructure, “Khoroshev communicated with law enforcement and offered his services in exchange for information about his identity.” [ransomware-as-a-service] Competitors.”
According to the indictment, Khoroshev asked law enforcement “[g]Give me the names of my enemies.