LockBit Ransomware group: Ringleader identified, indicted and sanctioned
Published:

In a stunning global crackdown, the cyber world’s most elusive villain, ‘LockBitSupp’, has been stripped of his anonymity. the National Crime Agency (NCA), the US Department of Justice, and Europol – revealed that the mastermind behind ‘Lockbit’, the infamous ransomware syndicate, has been cornered. Dmitry Khoroshev, known in the digital underworld as ‘LockBitSupp’, now faces a barrage of 26 charges. The coordinated might of the UK, US, and Australia has brought this cyber saga to a climax, imposing severe sanctions that have shaken the realms of cyber crime.

Figure 1: NCA News release
Who are the LockBit Ransomware group?
Lockbit is widely recognized as one of the world’s most prolific and harmful ransomware groups causing US millions worth of damage. LockBit’s ransomware-as-a-service model licenses its software to other cybercriminals (called affiliates) in exchange for payments that includes a percentage of ransoms paid by victims, which included “individuals, small businesses, multinational corporations, hospitals, schools, non-profit organizations, critical infrastructure, and government and law-enforcement agencies,” according to the US Department of Justice (DOJ).
10 nations unite to capture Khoroshev
Europol joined forces with law enforcement agencies from 10 countries (led by the NCA and FBI) to launch Operation Cronos. As a result of the operation, law enforcement agencies seized IT infrastructure, including 34 servers that were operating in aid of LockBit, around 1,000 decryption keys, over 14,000 rogue accounts, and froze over 200 cryptocurrency accounts. Additionally 2 arrests were made in Poland and Ukraine, 3 international arrest warrants were issued in France and the US, along with 5 indictments. Immediately after the seizure, LockBit activity was minimal, however soon after the group launched a new darknet site and resumed posting threats to organizations.
Law Enforcement announces LockBit ringleader
The NCA, the US Department of Justice, and Europol announced that LockBitSupp, the mastermind of the ransomware group was identified as Dmitry Khoroshev, a 31 year-old Russian national living in the southwestern Russian city of Voronezh. The same announcement was made, reusing an exposed site seized from LockBit ([Figure 2].
Khoroshev has been indicted in the US on 26 charges, including conspiracy to commit fraud, extortion and related activity in connection with damage to protected computer systems which together carry a maximum penalty of 185 years in prison. The U.S. Department of State (State) announced a reward of up to $10 million for information leading to his arrest and/or conviction. Additionally, sanctions have been imposed on Khoroshev in the UK, US, and Australia which include targeted financial sanctions and travel bans.

Figure 2: LockBit Information Site Created and Published by Law Enforcement, Reusing the Group’s Former Exposed Site
To date, LockBit and its affiliates have received approximately $500 million in ransoms from victims, according to the US indictment. As the ringleader, Khoroshev reportedly pocketed around $100 million, from which he paid for LockBit’s operations.
In May, the National Police Agency of Japan announced that it was working with foreign authorities to promote a ransomware investigation in response to an announcement by the NCA and other organizations, including providing information obtained from a domestic ransomware investigation.
In response to the announcement, LockBitSupp posted on the LockBit groups leak site, in both Russian and English, denying being Dmitry Khoroshev and asserting authorities are wrong in their identification of the ringleader.
Along with announcing the identity of LockBit’s ringleader, the NCA also announced the results of its February seizure operation. It stated that between June 2022 and February 2024, LockBit and its affiliates carried out attacks against around 7,000 organizations worldwide. It also noted that LockBit attacks fell 73% in the UK after the operation, with similar declines seen in other countries. Of the 194 affiliates identified so far, only 69 are active.
Summary
Public attribution is used by law enforcement agencies and governments to identify and publicize perpetrators and methods of cyberattacks and cybercrimes to detect crimes and demonstrate investigative capabilities.
The international coordinated efforts in the February seizure operation resulted in loss of Lockbit’s cyber-crime affiliates, significantly weakening LockBit’s abilities. Now that investigators have identified and released details of LockBit’s alleged mastermind, it’s assumed and hoped to further restrict LockBit and eventually shut it down completely.
About our Cyber Security Insights
This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.
Read more Cyber Security Insights here.
Sources:
- National Crime Agency, LockBit leader unmasked and sanctioned
- U.S. Department of Justice “U.S. Charges Russian National with Developing and Operating LockBit Ransomware“
- EUROPOL “New series of measures issued against the administrator of LockBit”
- U.S. DEPARTMENT OF THE TREASURY “United States Sanctions Affiliates of Russia-Based LockBit Ransomware Group”
- EUROPOL “Law enforcement disrupt world’s biggest ransomware operation”
- National Crime Agency “International investigation disrupts the world’s most harmful cyber crime group”
- U.S. Department of Justice “U.S. and U.K. Disrupt LockBit Ransomware Variant”
- U.S. Department of Justice, “lockbit_indictment.pdf ”
- National Police Agency, “Indictment of Suspect for LockBit Ransomware”
Want to know more about how we can help you with your cybersecurity?
Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.