LockBit Ransomware Admin Unmasked
Written by Karolis Liucveikis on
The United Kingdom's National Crime Agency (NCA) announced it had unmasked one of the kingpins behind the LockBit ransomware operation. US, UK, and Australian authorities have sanctioned this.
In the announcement, it was stated,
The sanctions against Russian national Dmitry Khoroshev, the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.
And,
Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.
Khoroshev, has also had indictments in the US unsealed. US authorities are offering a reward of up to 10 million USD for information that leads to his arrest.
Asset freezes and travel bans are to include the following economic and geographical areas, the UK Foreign, Commonwealth and Development Office, alongside the US Department of the Treasury's Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs and Trade. This was confirmed in an Interpol statement released later.
These announcements follow actions taken by Operation Cronos, headed by both the NCA and FBI, to disrupt LockBit operations.
At the time, the NCA summarized the operations results as follows,
The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims. Instead, this site will now host a series of information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week…The Agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organisations throughout the world.
This operation also helped law enforcement realize the true scope of LockBit operations. Based on data seized during Operation Cronos, during the period of June 2022 to February 2024, more than 7,000 attacks were built using their services.
The top five countries hit were the US, UK, France, Germany, and China in this time period. Of those targeted, at least 100 were hospitals and healthcare companies, and at least 2,110 victims were forced into some degree of negotiation by LockBit threat actors.
Data regarding LockBit affiliates showed that until February 2024, 194 affiliates were detected using LockBit's Ransomware-as-a-Service. Of those 194, 148 of them carried out attacks; 119 of those engaged in negotiations with victims; of those who began negotiation, 39 appear not to have paid the ransom; and 75 victims did not engage in negotiations at all.
Following the actions carried out and announced by the task team in February, LockBit spent the next few months trying to rebuild what was disrupted or destroyed in the operation.
During this time, threat actors created a new leak site on which they have inflated apparent activity by publishing victims targeted before the NCA took control of its services in February and taking credit for attacks perpetrated using other ransomware strains. This is an attempt to show all is well with the ransomware gang when the reality is entirely different.
Based on the data alone, the average number of monthly LockBit attacks has reduced by 73% in the UK since February's action, with other countries also reporting reductions. Attacks have been carried out by less sophisticated affiliates with lower levels of impact. This is a clear indication that LockBit might be seeing its final days leading the ransomware charge.
A Brief LockBit History
LockBit was first launched in September 2019 as a Ransomware-as-a-Service (RaaS), calling itself "ABCD" and later rebranded as LockBit. Affiliates would earn 80% of the ransomware payment, with the operators and admins receiving the rest.
Currently, ransomware operators are distributing LockBit 4.0, the fourth version of the ransomware, released shortly after the NCA and FBI seizure operations in February of this year.
Regarding LockBit operations, Bleeping Computer noted,
The operation is run by the very public operator known as LockBitSupp, now known to be Khoroshev, who frequented Russian-speaking hacking forums and revelled in talking to journalists and researchers about his criminal enteprise…While originally claiming to operate from China, today's revelations come as no surprise to learn that LockBitSupp is a Russian national…LockBit soon became the largest and most active ransomware operation, with a constant stream of new victims announced by the gang's data leak site and 194 affiliates up until February 2024.
A retaliation against the UK, US, and Australian authorities is to be expected following both Operation Cronos and the unmasking of Khoroshev. It is likely that such retaliation will be limited to leaking data of known victims.
Security researchers believe that any retaliation likely represents the ransomware gang's last gasps of air. While LockBit may cease operations shortly, you can expect the operators to begin operations under a new name, with a modified version of LockBit forming the operation's foundation.
▼ Show Discussion