The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.
Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in a 26-count indictment by a grand jury in New Jersey.
“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” U.S. Attorney Philip R. Sellinger said in a statement released by the Justice Department.
The indictment alleges Khoroshev acted as the LockBit ransomware group’s developer and administrator from its inception in September 2019 through May 2024, and that he typically received a 20 percent share of each ransom payment extorted from LockBit victims.
The government says LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.
“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ said. “The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”
The unmasking of LockBitSupp comes nearly three months after U.S. and U.K. authorities seized the darknet websites run by LockBit, retrofitting it with press releases about the law enforcement action and free tools to help LockBit victims decrypt infected systems.
One of the blog captions that authorities left on the seized site was a teaser page that read, “Who is LockbitSupp?,” which promised to reveal the true identity of the ransomware group leader. That item featured a countdown clock until the big reveal, but when the site’s timer expired no such details were offered.
Following the FBI’s raid, LockBitSupp took to Russian cybercrime forums to assure his partners and affiliates that the ransomware operation was still fully operational. LockBitSupp also raised another set of darknet websites that soon promised to release data stolen from a number of LockBit victims ransomed prior to the FBI raid.
One of the victims LockBitSupp continued extorting was Fulton County, Ga. Following the FBI raid, LockbitSupp vowed to release sensitive documents stolen from the county court system unless paid a ransom demand before LockBit’s countdown timer expired. But when Fulton County officials refused to pay and the timer expired, no stolen records were ever published. Experts said it was likely the FBI had in fact seized all of LockBit’s stolen data.
LockBitSupp also bragged that their real identity would never be revealed, and at one point offered to pay $10 million to anyone who could discover their real name.
KrebsOnSecurity has been in intermittent contact with LockBitSupp for several months over the course of reporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware group leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong guy.
“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”
LockBitSupp, who now has a $10 million bounty for his arrest from the U.S. Department of State, has been known to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims — requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a promise to delete data stolen from its victims.
But Justice Department officials say LockBit never deleted its victim data, regardless of whether those organizations paid a ransom to keep the information from being published on LockBit’s victim shaming website. Continue reading