DOJ charges Russian with developing and operating LockBit ransomware

Leading light in group responsible for for 25% of global ransomware attacks last year faces up to 185 years in prison.

“We have unmasked the man behind LockBitSupp”, said Acting US Assistant Attorney General Nicole Argentieri as charges against Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев ), 31, were unveiled.

Khoroshev is the latest person to be charged by the Department of Justice (DOJ) in connection with the infamous ransomware group LockBit. Known as the “the most prolific ransomware group in the world”, the group has attacked more than 2,500 victims, extorted over $1 billion and received more than $120m in ransom payments.

Khoroshev, known as “LockBitSupp”, “LockBit”, and “putinkrab”, faces a 26-count indictment for what is alleged to be his role as the creator, developer, and administrator of the LockBit ransomware group from its inception in September 2019 till now.

“Today’s indictment of LockBit developer and operator Dimitry Yuryevich Khoroshev continues the FBI’s ongoing disruption of the LockBit criminal ecosystem,” said FBI Director Christopher Wray. “The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals.”

The Department of State has also announced a reward of up to $10m for information that leads to his arrest.

Recruited members

Allegedly, in the role of developer and administrator, Khoroshev arranged for the design of the LockBit ransomware code, and recruited other members to deploy it against victims. He also maintained the LockBit infrastructure, providing tools through an online software dashboard for the affiliates to deploy LockBit. He also maintained the “data leak site” – LockBit’s public-facing website where he published stolen data from victims who refused to pay a ransom.

Dimitry Khoroshev.

As the developer of LockBit, Khoroshev is also believed to have received at least $100m in disbursements of crypto through his “developer shares”.

It is alleged that Khoroshev received a 20% share of each ransom payment, and the responsible attacker would receive the remaining 80%.

“Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” said US Attorney Philip R Sellinger for the District of New Jersey.

“The LockBit ransomware group represented one of the most prolific ransomware variants across the globe.”

Christopher Wray, FBI Director

Allegedly, even though LockBit’s infrastructure was disrupted and seized in February, Khoroshev managed to retain copies of data stolen from victims who had paid the ransom demands. Then he and his co-conspirators falsely promised that their stolen data would be deleted after payment.

The DOJ also says that Khoroshev communicated with law enforcement and “urged them to disclose the identities of his RaaS competitors – whom Khoroshev called his ‘enemies’ – in exchange for his services.”

“As part of our unrelenting efforts to dismantle ransomware groups and protect victims, the Justice Department has brought over two dozen criminal charges against the administrator of LockBit, one of the world’s most dangerous ransomware organizations,” said Deputy Attorney General Lisa Monaco.

“Working with US and international partners, we are using all our tools to hold ransomware actors accountable – and we continue to encourage victims to report cyberattacks to the FBI when they happen. Reporting an attack could make all the difference in preventing the next one.”

26 charges

For deploying and administrating LockBit, Khoroshev was charged with:

  • one count of conspiracy to commit fraud, extortion, and related activity in connection with computers;
  • one count of conspiracy to commit wire fraud;
  • eight counts of intentional damage to a protected computer;
  • eight counts of extortion in relation to confidential information from a protected computer; and
  • eight counts of extortion in relation to damage to a protected computer.

The charges carry a maximum penalty of a total 185 years in prison. Each of the 26 counts also carries a maximum fine of $250,000, pecuniary gain to the offender, or pecuniary harm to the victim.

“Earlier this year, the Justice Department and our UK law enforcement partners disrupted LockBit, a ransomware group responsible for attacks on victims across the United States and around the world,” said Attorney General Merrick B Garland. “Today we are going a step further, charging the individual who we allege developed and administered this malicious cyber scheme, which has targeted over 2,000 victims and stolen more than $100m in ransomware payments.”

US, UK and Australia sanctions

The Department of the Treasury’s Office of Foreign Assets Control, and authorities in the UK and Australia have also announced sanctions on Khoroshev for his role in launching cyberattacks.

“The United States, in close coordination with our British and Australian partners, will continue to hold accountable the individuals responsible for these disruptive and threatening activities,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E Nelson.

“These sanctions are an important moment in our fight against cyber criminals behind the LockBit ransomware group, which is now on its knees following our disruption earlier this year,” said Graeme Biggar, the UK’s National Crime Agency Director General.

Operation disrupted LockBit

The charges against Khoroshev follow the disruption of LockBit ransomware in February. Global forces had multiple public-facing websites seized, and got hold of 34 servers. Biggar described the successful action as “LockBit are locked out.”

The operation, conducted under the name Operation Cronos, was a joint mission of 10 countries led by the UK National Crime Agency’s (NCA) Cyber Division, and included the DOJ, the FBI, and other international law enforcement partners. The taskforce has also developed decryption capabilities that could help victims to restore hacked and encrypted systems, and encourage victims to contact the FBI to determine whether affected systems can be decrypted. 

Two other members of the hacker gang were also charged within the operation, Russian nationals Artur Sungatov and Ivan Kondratyev (known as Bassterlord).

“Today we are going a step further, charging the individual who we allege developed and administered this malicious cyber scheme.”

Merrick B Garland, US Attorney General

Three other affiliates have also been charged in connection with the ransomware gang.

  • November 2022: Mikhail Vasiliev was charged over his work with LockBit. He is currently in custody in Canada awaiting extradition to the US.
  • May 2023: Two indictments were unsealed against Mikhail Matveev, also known as “Wazawaka,” “m1x,” “Boriselcin,” and “Uhodiransomwar, – charging him with using different ransomware variants, including LockBit, to attack multiple victims in the US.
    He is also subject of a reward of up to $10m for information that leads to his arrest.
  • June 2023: Ruslan Magomedovich Astamirov was charged for his participation in the LockBit group, and is currently in custody awaiting trial.

LockBit ransomware group

  • The group first appeared at the end of 2019 – but under the name ABCD ransomware. LockBit then appeared around January 2020, and has carried out attacks on more than 2,500 victims around the world. Of those, about 1,800 were based in the US. It has made demands of more than hundreds of millions of dollars and received more than $120m in ransom payments.
  • The victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.
  • Lockbit was responsible for 25% of ransomware attacks globally during 2023, and 18% of total reported Australian ransomware incidents in 2022-2023.
  • Europol describes the group as “the world’s most harmful ransomware” operation, and “infamous for experimenting with new methods for pressuring their victims into paying ransoms.” These include ‘Triple extortion’, where the victim’s data is encrypted and the group threatens to leak it; and Distributed Denial-of-Service (DDoS) attacks, where servers are flooded with attacks and users prevented from accessing connected online services and sites.