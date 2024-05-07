Recorded remarks of US Attorney Philip R. Sellinger for the District of New Jersey

The US Department of Justice filed charges today against a Russian national for his alleged role as the creator, developer and administrator of the LockBit ransomware group from its inception in September 2019 to the present day. At one time, LockBit was the most prolific ransomware group in the world.

Earlier this year, the Department of Justice and our UK law enforcement partners disrupted LockBit, a ransomware group responsible for attacks on victims across the United States and around the world, said Attorney General Merrick B. Garland . Today we're going one step further, charging the individual we allege developed and administered this malicious cyber scheme, which targeted over 2,000 victims and stole more than $100 million in ransomware payments. We will continue to work closely with our partners across the U.S. government and around the world to disrupt cybercriminal operations like LockBit and find and hold accountable those responsible.

As part of our continued efforts to dismantle ransomware groups and protect victims, the Department of Justice has filed over two dozen criminal charges against the administrator of LockBit, one of the world's most dangerous ransomware organizations, said Deputy Attorney General Lisa Monaco. Working with US and international partners, we are using all of our tools to hold ransomware actors accountable and continue to encourage victims to report cyber attacks to the FBI when they occur. Reporting an attack can make the difference in preventing the next attack.

Dimitry Yuryevich Khoroshev ( ), also known as LockBitSupp, LockBit and putinkrab, 31, of Voronezh, Russia, is charged in a 26-count indictment returned by a grand jury in the District of New Jersey.

Today's indictment of LockBit developer and operator Dimitry Yuryevich Khoroshev continues the FBI's ongoing disruption of the LockBit criminal ecosystem, said FBI Director Christopher Wray. The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals. The charges announced today reflect the FBI's unwavering commitment to disrupting ransomware organizations and holding perpetrators accountable.

The indictment against Khoroshev revealed today follows a recent takedown of the LockBit ransomware in February by the Cyber ​​Division of the UK's National Crime Agency (NCA), which worked in collaboration with the Department of Justice, the FBI and other international partners of law enforcement. As previously announced by the Department, authorities disrupted LockBit by seizing multiple public websites used by LockBit to connect to the organization's infrastructure and taking control of servers used by LockBit administrators, thereby disrupting the actors' ability to LockBit to attack and encrypt networks and extort victims by threatening to publish stolen data. That outage managed to greatly diminish LockBits' reputation and ability to prey on other victims, the indictment unsealed today alleges.

Dmitry Khoroshev conceived, developed and administered Lockbit, the world's most prolific ransomware variant and cluster, enabling himself and his associates to wreak havoc and cause billions of dollars in damages to thousands of victims around the globe, said US Attorney Philip R. Salesman for the District of New Jersey. He thought he could do this under the guise of his infamous LockBitSupp name, anonymous and of no consequence, while he personally pocketed $100 million extorted from Lockbits victims. Through ongoing investigation and coordination with our partners in the Criminal Division's Computer Crime and Intellectual Property Section, the FBI and beyond, we have proven him and his associates wrong. Today's indictment marks a significant milestone in the investigation and prosecution of LockBit, which has already led to charges against five other LockBit associates, two of whom are in custody pending trial, and a major operational disruption already discredited LockBit.

Additionally, as previously announced, law enforcement developed decryption capabilities that could enable hundreds of victims worldwide to restore systems encrypted using the LockBit ransomware variant. Victims targeted by this malware are encouraged to contact the FBI at https://lockbitvictims.ic3.gov/ to enable law enforcement to determine whether affected systems can be successfully decrypted.

According to the indictment and other documents previously unsealed in the District of New Jersey:

Khoroshev and the LockBit Ransomware Group

Khoroshev allegedly acted as the developer and administrator of the LockBit ransomware cluster from its inception in or around September 2019 until May 2024. Khoroshev and his associates transformed LockBit into what was, at times, the most active and world's most destructive ransomware. The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States. LockBit's victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofits, critical infrastructure, and government and law enforcement agencies. Khoroshev and his associates extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response and recovery.

Khoroshev allegedly designed LockBit to operate in the ransomware-as-a-service (RaaS) model. In his role as the developer and administrator of LockBit, Khoroshev organized the design of the LockBit ransom code himself, recruited other members of LockBit called affiliates to deploy it against victims, and maintained the LockBit infrastructure, including an online computer panel called a control panel to provide links to the necessary tools to install LockBit. Khoroshev also ran the public LockBits site called a data leak site for publishing data stolen from victims who refused to pay a ransom.

As alleged in the indictment, LockBit developer Khoroshevas typically received a 20% cut of any ransom payments extorted from LockBit victims. The member responsible for an attack would receive the remaining 80%. During the scheme, Khoroshev alone allegedly received at least $100 million in digital currency disbursements through his shares of ransom payment developer LockBit.

LockBit infrastructure seized by law enforcement during the February 2024 outage allegedly showed Khoroshev storing copies of data stolen from LockBit victims who had paid the required ransom.

Khoroshev and his associates had falsely promised those victims that their stolen data would be deleted after payment. Additionally, after the February 2024 outage, Khoroshev allegedly communicated with law enforcement and asked them to reveal the identities of his RaaS competitors, whom Khoroshev called his enemies, in exchange for his services.

Khoroshev is charged with one count of conspiracy to commit computer fraud, extortion and similar activities; one count of conspiracy to commit wire fraud; eight counts of willful damage to a protected computer; eight counts of extortion relating to confidential information from a protected computer; and eight counts of extortion in connection with damaging a protected computer. In total, these charges carry a maximum sentence of 185 years in prison. Each of the 26 counts charged by the indictment also carries a maximum fine of $250,000, monetary benefit to the offender, or property damage to the victim.

LockBit investigation

With the indictment unsealed today, a total of six LockBit members are now charged with their participation in the LockBit conspiracy:

In February 2024, an indictment was filed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against multiple victims across the United States, including businesses nationwide in manufacturing and other industries.

In June 2023, a criminal complaint was filed in the District of New Jersey charging Ruslan Magomedovich Astamirov, a Russian national, in connection with his participation in the LockBit group. Astamirov is currently in custody awaiting trial.

In May 2023, two indictments were filed in Washington, DC and in the District of New Jersey charging Mikhail Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, using various variants of ransomware, including LockBit, to attack multiple victims across the United States, including the Washington, DC Metropolitan Police Department. Matveev is currently the subject of a reward of up to $10 million through the United States Department of State's Transnational Organized Crime (TOC) Reward Program, with information received through the FBI's website at tips.fbi.gov/.

Finally, in November 2022, a criminal complaint was filed in the District of New Jersey charging Mikhail Vasiliev with his participation in the LockBit ransomware group. Vasiliev, a dual Russian-Canadian citizen, is currently in custody in Canada awaiting extradition to the United States.

The FBI's Newark office is investigating the LockBit ransomware variant.

District Attorneys Jessica C. Peck, Debra Ireland and Jorge Gonzalez of the Criminal Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorneys Andrew M. Trombly, David E. Malagold and Vinay Limbachia for the District of New Jersey are prosecuting the charges. against Khoroshev.

Considerable assistance was also provided by the Liaison Prosecutor of the Department of Justice for Cybercrimes at Eurojust, the Office of International Affairs and the National Security Division.

Additionally, the Department of the Treasury's Office of Foreign Assets Control announced today that it is designating Khoroshev for his role in launching the cyber attacks. For more information, visit https://home.treasury.gov/news/press-releases/jy2326. Authorities in the United Kingdom and Australia also announced sanctions today against Khoroshev.

The State Department also announced today a reward of up to $10 million for information leading to Khoroshev's capture. Information that may qualify for this award can be submitted by email to [email protected], Telegram to @LockbitRewards, signal to @FBISupp.01 and tox B0B98577F0541160C745B464E42C9AB782B0366582F28D55. The reward announced today complements an earlier reward of up to $10 million for information leading to the identification of any individual holding a leadership position in the criminal group behind the LockBit ransomware. For more information on this reward, visit Reward for information: LockBit Ransomware-as-a-service.

Victims of LockBit should contact the FBI at https://lockbitvictims.ic3.gov for more information. Additional details on protecting networks against LockBit ransomware are available at StopRansomware.gov. These include Cyber ​​Security and Infrastructure Security Agency Advisory AA23-325A, AA23-165A and AA23-075A.

An indictment is simply an allegation. below US By law, all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.