US Charges LockBit Ransomware Mastermind, Offers $10M Reward

Published: 08 May 2024

Dmitry Khoroshov LockBitDmitry Yuryevich Khoroshev, believed to be mastermind and administrator of the notorious Russia-based LockBit ransomware group. (Photo: U.S. Department of the Treasury, License)

By Zdravko Ljubas

The United States sanctioned and charged a Russian national on Tuesday for operating the world’s most prolific and harmful ransomware group, LockBit, which is believed to have extorted half a billion dollars from victims around the globe.

Washington has offered a reward of US$10 million for information leading to the arrest of Dmitry Yuryevich Khoroshev, described as “the creator, developer, and administrator” of the ransomware group. He has been indicted on 26 counts and could face up to 185 years in prison if brought to justice. The U.S. also accused Russia of harboring cybercriminals.

Khoroshev and his “affiliate co-conspirators, grew LockBit into what was, at times, the most active and destructive ransomware variant in the world,” according to the indictment.

The document unveils that Khoroshev raked in a staggering 20 percent from every ransom payment extorted from LockBit victims, amassing a sum of at least $100 million in digital currency. The remaining 80 percent of each ransom payment was allegedly funneled to the affiliate responsible for the attack.

The charges encompass a wide range of offenses, including conspiracy to commit fraud, extortion, and related activity in connection with computers; conspiracy to commit wire fraud; intentional damage to a protected computer; extortion related to confidential information from a protected computer; and extortion related to damage to a protected computer.

According to the U.S. Department of the Treasury, the designation of Khoroshev is the outcome of a collaborative effort involving the U.S. Department of Justice, Federal Bureau of Investigation (FBI), the United Kingdom’s National Crime Agency (NCA), the Australian Federal Police (AFP), and other international partners.

These moves come on the heels of numerous recent U.S. Government initiatives targeting Russian cybercriminals engaged in ransomware activities, such as the dismantling of LockBit ransomware infrastructure and the imposition of sanctions on LockBit group associates.

“Today’s action reaffirms our commitment to dismantling the ransomware ecosystem and exposing those who seek to conduct these attacks against the United States, our critical infrastructure, and our citizens,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson.

The U.S. administration further cautioned that Russia, where entities like LockBit enjoy impunity to execute ransomware assaults against the U.S. and its allies, “continues to offer safe harbor for cybercriminals,” and reiterated the call for Moscow to implement tangible measures to curb the unhindered operation of cybercriminals within its borders.

According to the Justice Department, LockBit has targeted over 2,500 victims worldwide, including 1,800 victims in the U.S., amassing more than $500 million in ransom payments.

It highlighted that since January 2020, affiliates employing LockBit have launched assaults on various critical infrastructure sectors, encompassing financial services, education, emergency services, and healthcare.

The U.S. Treasury Department further noted that LockBit operates on a ransomware-as-a-service (RaaS) model, leasing its ransomware software to affiliated cybercriminals for a fee, which includes a percentage of the ransom payments received.

Additionally, it emphasized LockBit’s notoriety for its double extortion strategy, whereby cybercriminals extract significant amounts of data from victims before encrypting their computer systems and demanding ransom payments.

The latest move by the U.S. against LockBit serves as a sequel to a high-stakes operation in February this year, where law enforcement from 10 countries joined forces to dismantle the criminal network of the notorious Russian ransomware group at every tier.

The February international crackdown stemmed from a sophisticated investigation spearheaded by the NCA, within the framework of Operation Cronos, an international task force orchestrated by Europol and Eurojust.

Over several months, law enforcement agencies infiltrated LockBit’s core platform and critical infrastructure, targeting 34 servers scattered across multiple countries, including the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.