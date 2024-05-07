International
The leader of LockBit was unmasked and sanctioned
A leader of what was once the world's most damaging cybercrime group has been unmasked and sanctioned by the UK, US and Australia, following an international disruption campaign led by the National Crime Agency.
Sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware cluster, were announced today by the FCDO along with the US Department of the Treasury's Office of Foreign Assets Control (OFAC) and the Australian Department of Labor external. .
Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.
American partners have also filed a lawsuit against him and are offering a reward of up to $10 million for information leading to his arrest and/or conviction.
The actions targeting Khoroshev are part of a wide-ranging and ongoing investigation into the LockBit group by the NCA, the FBI and international partners who form the Operation Cronos task force.
LockBit offered ransomware-as-a-service (RaaS) to a global network of hackers or collaborators, supplying them with the tools and infrastructure to carry out attacks.
In February, the NCA announced it had penetrated the group's network and taken control of its services, including its dark web leak site, which compromised the entire criminal enterprise.
The true impact of LockBits criminality was previously unknown, but data obtained from their systems showed that between June 2022 and February 2024, more than 7,000 attacks were built using their services. The five hardest hit countries were the US, UK, France, Germany and China.
Pictured: The NCA seized control of the group's services including its leak site on the dark web
The attacks targeted over 100 hospitals and healthcare companies, and at least 2,110 victims were forced into some degree of bargaining by cybercriminals.
The group has attempted to rebuild over the past two months, however the NCA assesses that as a result of this investigation, they are currently operating at limited capacity and the global threat from LockBit has been significantly reduced.
LockBit has created a new leak page in which they've blown up the apparent activity by publishing targeted victims before the NCA took control of its services in February, as well as taking credit for attacks carried out using other types of ransomware .
The data shows that the average number of monthly LockBit attacks has fallen by 73% in the UK since the February crackdown, with other countries also reporting reductions. The attacks appear to have been carried out by less sophisticated associates with lower levels of influence.
In addition to uncovering the real-world identity of LockBitSupp, the Operation Cronos investigation has given the NCA and partners deep insight into LockBits' operations and network.
Of the 194 affiliates identified as using LockBits services by February 2024:
- 148 built-in attacks.
- 119 engaged in negotiations with the victims, meaning they eventually decided to attack.
- Of the 119 who began negotiations, 39 appear to have never received a reward payment.
- 75 did not engage in any negotiations, so it also appears that he did not receive any reward payments.
This means that up to 114 affiliates paid thousands to join the LockBit program and caused unknown levels of damage, meaning they will be targeted by law enforcement, but never made any money. from their criminality.
Active affiliate numbers have also dropped significantly, to 69, since February.
The NCA found numerous examples of attacks where the decryptor provided by LockBit to victims who had paid ransoms did not work and where they received no support from affiliates or LockBit, further highlighting their unreliability.
In an affiliate attack against a children's hospital in December 2022, LockBitSupp issued an apology on their leak page and confirmed that it had provided the victim with the decryptor for free.
It said that the attacker had violated our rules, was blocked and was no longer in their affiliate program. In fact, they remained an active LockBit affiliate until the February 2024 shutdown, with NCA analysis showing that they continued to build 127 unique attacks, engaged in 50 negotiations with victims, and received numerous ransom payments.
Finally, as verified by investigators, LockBit did not routinely delete stolen data after a ransom was paid.
NCA Director General Graeme Biggar said: These sanctions are hugely important and show that there is no hiding place for cybercriminals like Dmitry Khoroshev, who wreak havoc across the globe. He was sure he could remain anonymous, but he was wrong.
We know that our work to disrupt LockBit has so far been extremely successful in degrading their capabilities and credibility among the criminal community. The groups' attempt at reconstruction has resulted in a much less sophisticated enterprise with significantly reduced impact.
Today's announcement puts another big nail in LockBit's coffin and our investigation into them continues. We are now also targeting affiliates that have used LockBit services to launch devastating ransomware attacks on schools, hospitals and large companies around the world.
Working with our international partners, we will use all the tools at our disposal to target other groups like LockBit, expose their leadership and undermine their operations to protect the public.
Sanctions Minister Anne-Marie Trevelyan said: Together with our allies we will continue to crack down on hostile cyber activity that is destroying livelihoods and businesses around the world.
In sanctioning one of the leaders of LockBit, we are taking direct action against those who continue to threaten global security while exposing malicious cyber-criminal activity originating in Russia.
Security Minister Tom Tugendhat said: Cyber criminals think they are untouchable, hiding behind anonymous accounts as they try to extort money from their victims.
By exposing one of the leaders of LockBit, we are sending a clear message to these heartless criminals. You can't hide. You will face justice.
The NCA and international partners now have over 2,500 decryption keys and are continuing to contact LockBit victims to offer support. The agency has so far proactively contacted nearly 240 LockBit victims in the UK.
Public reporting is absolutely vital in supporting global law enforcement to effectively tackle ransomware. If you are in the UK, you should use the govt Cyber incident reporting site as soon as possible, for guidance on which agencies to report your incident to.
The Operation Cronos task force includes the NCA, the South West Regional Organized Crime Unit (SWROCU) and the Metropolitan Police Service in the UK; FBI and US Department of Justice; Europol, Eurojust and law enforcement partners in France (Gendarmerie), Germany (LKA and BKA), Switzerland (Fedpol and Zurich Cantonal Police), Japan (National Police Agency), Australia (Australian Federal Police), Sweden (Authority Swedish Police), Canada (RCMP) and the Netherlands (National Police – Politie).
This operation was also supported by the National Bureau of Investigation in Finland.
