And he might’ve gotten away with it, too, if it weren’t for those meddling government agencies.
In simultaneous announcements on May 7 that felt only slightly like the finale to a Scooby-Doo episode, the US Department of Justice and the UK’s National Crime Agency pulled the mask off the individual they allege to be behind the digital persona known as “LockBitSupp”—someone the government orgs claim to be a leading figure behind the operation of the ransomware group LockBit.
“Through the meticulous work of our investigators and prosecutors, we have unmasked the man behind ‘LockBitSupp,’” Nicole M. Argentieri, principal deputy assistant attorney general, head of the criminal division, said in a May 7 statement, naming the Russian individual believed to be behind LockBitSupp—Dmitry Yuryevich Khoroshev—and declaring a 26-count indictment against him.
Additionally, the US State Department announced a reward of up to $10 million for information leading to Khoroshev’s apprehension.
The NCA’s statement also provided a photo “identity reveal” of Khoroshev, stating he will now face asset freezes and travel bans.
“These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong,” NCA director General Graeme Biggar said in a statement, which also noted sanctions from the UK and Australia.
The NCA announcement cited statistics regarding LockBit’s cyberattack impact:
- Between June 2022 and February 2024, LockBit services supported more than 7,000 attacks. The ransomware as a service (RaaS) provider also allows affiliates’ use of its cyberthreat tools. (The NCA, according to its May 7 post, has studied the attack and communication patterns of at least 194 affiliates.)
- Attacks included over 100 hospitals and healthcare companies.
- LockBit-linked efforts led to at least 2,110 victims forced into negotiation with cybercriminals, the NCA said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The international announcement follows February’s multi-agency disruption of LockBit’s technical infrastructure—part of an effort referred to as Operation Cronos, which led IT pros who spoke with IT Brew to speculate that the seizing would scatter ransomware as a service affiliates.
A recent report from cybersecurity company ZeroFox found that LockBit claimed over 50% of observed ransomware and data exfiltration (R&DE) activity in February of 2023, but that high proportion dipped to 22%n February 2024 (around the time Operation Cronos began) and then stood at “just 3 percent so far in April 2024,” according to the writers of the study, which had published on April 29.
Other threat actors are happy to fill any voids in the criminal cyberspace. A first-quarter ransomware report from Corvus Insurance revealed new threat groups filling any absences of LockBit malware, specifically 18 new leak sites—more than any single quarter recorded by Corvus.
“There’s going to have to be multiple operations, similar to Operation Cronos, before we start seeing a real return on investment,” Ryan Westman, director of threat intelligence at cybersecurity company eSentire, told IT Brew.
Drew Schmitt, practice lead on the research and intelligence team at cybersecurity provider GuidePoint Security, follows ransomware patterns and sees Tuesday’s identity revelation as a demonstration of effective law-enforcement cooperation, and an impactful hit against cybercriminals feeling comfortable in their anonymity.
“They’re saying, ‘Despite how good you think you are at anonymity, we’re finding ways to still find out who you are…despite where you are in the world,’” Schmitt told IT Brew.