Mastermind Behind LockBit Ransomware The US Justice Department recently charged Dimitry Yuryevich Khoroshev, a 31-year-old Russian citizen, in a 26-count indictment as the alleged mastermind behind LockBit ransomware-as-a-service (RaaS). Known by his cyber pseudonyms LockBitSupp, LockBit, and putinkrab, Khoroshev is accused of designing the LockBit malware, recruiting affiliates to deploy the ransomware, maintaining the RaaS infrastructure and the LockBit leak site, and allegedly receiving over $100 million as his share from the ransom payments made by victims. The LockBit RaaS launched in September 2019 and was disrupted by law enforcement in February 2024. Yet, despite this significant setback, the RaaS administrators managed to restore some of the service’s infrastructure, launched a new leak site, and resumed operations shortly after. The indictment revealed that the LockBit ransomware was responsible for attacks against over 2,500 victims in more than 120 countries, with the US being the most targeted with 1,800 victims. The ransomware group targeted various victims, from individuals and small businesses to critical infrastructure, hospitals, schools, corporations, non-profit organizations, and government and law enforcement agencies. As a result, the group received at least $500 million in ransom payments. In addition to encrypting the victims’ data, the LockBit group exfiltrated it, using it as leverage to pressure victims into paying ransom by threatening to make the data public. After the February 2024 disruption, law enforcement authorities discovered that Khoroshev retained copies of the stolen data, even when the victims paid the ransom, going against his and the LockBit affiliates’ promises to delete the data after payment. Khoroshev is facing charges including fraud, extortion, and damaging protected computers. If convicted, these charges carry a maximum penalty of 185 years in prison. Khoroshev is the sixth individual charged for his role in the LockBit operation. Previously, Mikhail Vasiliev, Mikhail Matveev, Ruslan Magomedovich Astamirov, Artur Sungatov, and Ivan Kondratyev faced similar charges. On Tuesday, the US announced sanctions against Khoroshev and offered a reward of up to $10 million for information leading to his arrest. This follows a previously announced reward for information on the LockBit group leaders. The United Kingdom and Australia also announced sanctions against Khoroshev on the same day. Earlier in February, an international law enforcement effort called Operation Cronos severely disrupted the LockBit infrastructure, resulting in two arrests, the shutdown of 34 servers, the closure of over 14,000 rogue accounts, and the freezing of over 200 cryptocurrency accounts. After infiltrating the LockBit infrastructure, the UK National Crime Agency (NCA) uncovered that the group conducted over 7,000 attacks between June 2022 and February 2024, primarily against entities in the US, UK, France, Germany, and China. This included over 100 attacks on hospitals and healthcare organizations. The NCA estimates that the group has extorted over $1 billion from its victims. While LockBit continues to operate, its activity has reduced by more than 70% compared to the pre-disruption levels, at least in the UK. The NCA identified 194 affiliates using the LockBit RaaS before the disruption, but this number has dropped to 69 since February. The agency has provided a list of all discovered identities, including the full names of the newer affiliates. The NCA currently possesses over 2,500 decryption keys and is working on contacting LockBit victims to help them recover their data. As Operation Cronos continues with support from law enforcement agencies in 10 countries, Europol announced that over 3,500 LockBit victims in 33 countries were identified. Victims can use a free recovery tool available on the NoMoreRansom site to restore their data. In conclusion, the arrest of the alleged LockBit mastermind is a significant victory in the ongoing battle against ransomware. It serves as a stark reminder to cybercriminals about the potential repercussions of their actions. At the same time, it underscores the critical role of international cooperation in combating cybercrime. As the cyber threat landscape continues to evolve, businesses, individuals, and law enforcement agencies must stay one step ahead of cybercriminals. At SpearTip, our ransomware threat assessment combines policy evaluation and technical testing. The team assesses vulnerabilities within your environment that could lead to ransomware attacks. You will receive actionable advice to adopt practices to mitigate and prevent these types of events. SpearTip’s fully managed Security Operations Center (SOC) is more than a place or single-pronged software. Our SOC is a 24/7/365 command center where our certified, experienced engineers and analysts, who are empowered and prepared to remediate any suspicious activity in real-time, keep watch over our client environments. While our security team is the SOC’s life force, our ShadowSpear Platform gives the team a decisive advantage over threat actors attempting to breach your environment. The ShadowSpear Platform is an integrable security solution with the combined capabilities of SIEM, AV, MDR, anti-phishing tools, and much more. Our SOC provides your business with a team of experienced professionals, 24/7/365 monitoring and threat remediation, and a proven cybersecurity tool dedicated to ensuring threat actors never establish a foothold in your environment. SpearTip is a trusted provider of breach coaches and carriers. Our team specializes in incident response capabilities and handling breaches with industry-standard response times. Our onsite Security Operations Center is staffed 24 hours a day, working in a continuous investigative cycle, ready to respond to events at a moment’s notice. If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

DNS Tunneling
DNS Tunneling: New Tactic To Scan Networks and Track Victims
10 June 2024
Mastermind Behind LockBit Ransomware
Mastermind Behind LockBit Ransomware Unveiled and Charged
07 June 2024
Unchecked User Privileges
Unchecked User Privileges: How to Counter
03 June 2024
Cloud Migration
Cloud Migration Impact on Network Security
28 May 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.