TL;DR: Authorities are hot on the trail of one of the leaders of the notorious ransomware gang LockBit. The FBI and National Crime Agency (NCA) believe he is holed up in Russia and has taken measures to ensure he remains there until caught. The suspect has had his assets frozen and was added to the no-fly list. The US has also offered $10 million to anyone with information leading to his arrest and conviction.
Earlier this week, an international cybercrime coalition calling itself Operation Cronos appeared to taunt the ransomware gang known as LockBit by reposting a spoofed version of one of its websites. The law-enforcement group, headed up by the US's FBI and the UK's NCA, also teased that it had something else to reveal "in 24 hours" (from Monday).
True to its word, the NCA revealed what it was referring to in a May 7 post on X. The joint agencies had already hinted that they were looking for an unnamed suspect believed to be hiding out in Kaliningrad, Russia. Its post may have revealed that person's identity as Russian national Dmitry Khoroshev.
A leader of what was once the world's most harmful cyber crime group has been unmasked and sanctioned by the UK, US and Australia, following an NCA-led international disruption campaign.#Cronos @FBI @Europol
– National Crime Agency (NCA) (@NCA_UK) May 7, 2024
Full story â¡ï¸Â https://t.co/ECxlgOTH5E pic.twitter.com/iYz4w2jheK
The NCA claims that Khoroshev is LockBitSupp, one of the leaders of the LockBit ransomware ring. While the agency did not specifically link him to the suspect hiding in Kaliningrad, there is a $10 million bounty for information leading to his arrest, the same amount mentioned for the Kaliningrad suspect. Khoroshev is wanted on 26 counts of "computer fraud and abuse" in the US that allegedly earned him over $100 million. The outed ring leader faces sanctions from the US, UK, and Australia, which include the freezing of assets and being put on the no-fly list.
"These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe," said NCA Director General Graeme Biggar. "He was certain he could remain anonymous, but he was wrong."
Cronos also revealed various stats and data that it seized in its February raid (video below).
As well as uncovering the real-world identity of LockBitSupp, Op #Cronos has given the NCA and partners a deep insight into LockBit's operations and network.
– National Crime Agency (NCA) (@NCA_UK) May 8, 2024
Dmitry Khoroshev and his LockBit network thought they were anonymous. Here's what they've really been up to. pic.twitter.com/KNRZY93cjy
The reveal came after an anonymous LockBit administrator told the cybersecurity website VXUG that Cronos was just putting on a show, bragging about LockBit being up and running less than a week after Cronos disrupted operations. Despite LockBit's expedience at resuming its illegal enterprise, Biggar says the joint disruption operation is successful.
"We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community. The group's attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact. Today's announcement puts another huge nail in the LockBit coffin and our investigation into them continues."
LockBit has only been around for about five years, but in that time, authorities estimate that it has done about a billion dollars in illegal business. In addition to distributing ransomware and extorting its victims, it sells stolen files on the dark web and rents its ransomware software to other criminals for a commission.
LockBit has had some prominent victims, as well. It has attacked more than 1,700 businesses in the US. Last November, it hit Boeing, leaking a large cache of data from the aerospace firm's systems. Last year, it locked up systems at the financial trading services group ION, which handles the world's largest banks, brokerages, and hedge funds. It also disrupted US Treasury securities when it hit the Industrial and Commercial Bank of China.
Image credit: Richard Patterson