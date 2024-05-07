



The United States reveals the identity of Dmitry Khoroshev, a senior leader of the LockBit ransomware group, and imposes sanctions on him.

WASHINGTON Today, the United States designated Dmitry Yuryevich Khoroshev, a Russian national and head of the Russia-based LockBit Group, for his role in the development and distribution of LockBit ransomware. This designation is the result of a collaborative effort with the U.S. Department of Justice, the Federal Bureau of Investigation, the U.K. National Crime Agency, the Australian Federal Police and other international partners. At the same time, the Justice Department unseales an indictment and the State Department announces a reward offer for information leading to Khoroshev's arrest and/or conviction. The United Kingdom and Australia also announce Khoroshev's appointment.

Today's action reaffirms our commitment to dismantling the ransomware ecosystem and exposing those who seek to carry out these attacks against the United States, our critical infrastructure and our citizens, said the Under Secretary of the Treasury for of Terrorism and Financial Intelligence, Brian E. Nelson. The United States, in close coordination with its British and Australian partners, will continue to hold accountable those responsible for these disruptive and threatening activities.

This designation follows several other recent actions by the US government against Russian cybercriminals involved in ransomware, including disruption of LockBit ransomware infrastructure and sanctions against LockBit Group subsidiaries. Russia, where groups such as LockBit are free to launch ransomware attacks against the United States and its allies and partners, continues to provide a haven for cybercriminals. The United States has already stressed that Russia must take concrete steps to prevent cybercriminals from operating freely on its territory. Today's actions reflect the United States' commitment to a long-term, coordinated, and sustained approach to disrupting and degrading the ransomware ecosystem.

Additionally, the U.S. State Department announced a reward of up to $10 million for information leading to the arrest and/or conviction of Russian national Dmitry Yuryevich Khoroshev for participation, conspiracy to participate, or attempt of participation in transnational organized crime. On February 20, 2024, the State Department announced reward offers (up to $10 million) for information leading to the identification and location of key leaders of the LockBit ransomware variant group, as well as information leading to the arrest and/or conviction of members. from the LockBit ransomware variant group (up to $5 million).

LockBit: ONE OF THE most prolific ransomware groups in the world

The Russia-based LockBit ransomware group is one of the most active ransomware groups in the world and is best known for its ransomware variant of the same name. According to the Department of Justice, LockBit targeted more than 2,500 victims worldwide and allegedly received more than $500 million in ransoms. Since January 2020, affiliates using LockBit have attacked organizations across a wide range of critical infrastructure sectors, including financial services, education, emergency services, and healthcare.

LockBit operates on a Ransomware-as-a-Service model, in which the group licenses its ransomware to affiliated cybercriminals in exchange for payment, including a percentage of the ransoms paid. A Ransomware-as-a-Service cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often called affiliates), and supports the deployment of ransomware by its affiliates in exchange for an upfront payment. , subscription fee, part of the profits or a combination of upfront payment, subscription fee and part of the profits. Additionally, LockBit is known for its double extortion tactics, where its cybercriminals exfiltrate large amounts of data from its victims before encrypting the victims' computer systems and demanding ransom payment.

cybercriminal responsible for Lockbit ransomware variant exposed

Dmitry Yuryevich Khoroshev (Khoroshev), a Russian national and LockBit executive, is the primary operator of the well-known and public LockBit-related cybercrime moniker, LockBitSupp. As the head of the LockBit group and developer of the LockBit ransomware, Khoroshev served in various operational and administrative roles for the cybercrime group and benefited financially from the LockBit ransomware attacks. Additionally, Khoroshev facilitated LockBit infrastructure upgrades, recruited new developers for the ransomware, and managed LockBit affiliates. He is also responsible for LockBits' efforts to continue its operations after they were disrupted by the United States and its allies earlier this year.

OFAC designates Khoroshev pursuant to Executive Order (EO) 13694, as amended by EO 13757, for being responsible for or complicit in, or engaging in, directly or indirectly, cyber activities described in subparagraph (a). (ii)(D) of section 1 of EO 13694, as amended.

IMPLICATIONS OF SANCTIONS

As a result of today's action, all property and interests in property of this individual that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC . OFAC regulations generally prohibit all transactions by or within the United States (including transactions passing through the United States) that involve property or interests in property of blocked persons. . Additionally, individuals who engage in certain transactions with the designated person today may themselves be exposed to designation.

OFAC's sanctions power and integrity derive not only from its ability to designate and add individuals to the Specially Designated Nationals and Blocked Persons (SDN) list, but also from its willingness to remove individuals from the SDN list in accordance with the law. The ultimate goal of sanctions is not to punish but to bring about positive change in behavior. For more information on the process of requesting removal from an OFAC list, including the SDN list, please refer to OFAC Frequently Asked Questions 897 here. For detailed information on the process of submitting a request to be removed from an OFAC sanctions list, please click here.

See OFAC's updated advisory on potential sanctions risks for facilitating ransomware payments for information on actions that OFAC would consider mitigating factors in any related enforcement action involving ransomware payments with a potential link with sanctions. As noted in the advisory, OFAC strongly encourages all ransomware victims to contact appropriate government agencies, including the Federal Bureau of Investigation, to report a ransomware attack. For more information on complying with virtual currency sanctions, see OFAC's Sanctions Compliance Guide for the Virtual Currency Sector.

Additionally, the Cybersecurity & Infrastructure Security Agency, in collaboration with other U.S. departments and agencies and foreign partners, issued two cybersecurity advisories, Understanding Ransomware Threat Actors: LockBit and LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability. These advisories detail the threats posed by this group and provide recommendations to reduce the likelihood and impact of future ransomware incidents.

For more information on today's nominees, click here.

