The kingpin of the LockBit ransomware operation has finally been named by law enforcement as Dmitry Yuryevich Khoroshev.

Khoroshev's unmasking and addition to sanctions lists represents a landmark revelation in Operation Cronos's efforts to disrupt and dismantle the LockBit ransomware operation, the bulk of which was carried out in February.

Many believed the unveiling of the Russian national's true identity, which had been kept a closely guarded secret for years, would be the cherry on top of LockBit's downfall. Authorities chose not to reveal it at the time, and it isn't clear why they've chosen now to do so.

However, at the time of LockBit's initial disruption, law enforcement merely teased the fact they knew the identity of Khoroshev, aka LockBitSupp, with a final post saying (of LockBit's leader):

Today's news will provide a tidy bookend to the two-month tease, but given his residence in Russia, the charges and sanctions leveled against Khoroshev are unlikely to result in justice.

"These sanctions are an important moment in our fight against cyber criminals behind the LockBit ransomware group, which is now on its knees following our disruption earlier this year," said Graeme Biggar, director general at the National Crime Agency (NCA), which led Operation Cronos.

"They have caused untold damage to schools, hospitals, and major companies across the world, who've had to pick up the pieces following devastating cyber attacks. 

"Dmitry Khoroshev thought he was beyond reproach, even offering $10m to anyone who could reveal his identity, but these actions dispel that myth. Our investigation into LockBit and its affiliates continues and, working with our international partners, we'll do everything we can to undermine their operations and protect the public."

In a recent interview with malware collective vx-underground, Khoroshev said whatever law enforcement was planning to reveal was a lie.

They said to vx-underground: "I don't understand why they're putting on this little show. They're clearly upset we continue to work." 

The US is offering a $10 million reward to anyone who can provide authorities with information leading to the arrest and/or conviction of Khoroshev, or any other individual who holds a senior leadership position at LockBit.

Operation Cronos's initial activity in February saw the dramatic seizure of LockBit's blog where its victims' data is published. 

The NCA then repurposed it as an exposé hub, linking to the various insights gleaned from authorities' infiltration of the gang. After pulling the site offline, Operation Cronos revived it over the weekend and today it became the exposé hub once again.

Offering an update on its investigation, the Operation Cronos team said they looked deep into the 194 affiliates they found in February and concluded that 114 appear to have never earned a penny from their time spent attacking organizations.

A total of 119 affiliates engaged in negotiations with victims, but at least 39 of these appear to have never received a ransom payment. An additional 75 affiliates appear to have never engaged in any negotiations, meaning they would never have received a payment.

Some 114 affiliates will still be investigated by law enforcement for criminal activity despite never seeing any success in their endeavors, all after spending thousands to join the criminal gang.

Many identities were unveiled and a small number of arrests were made in February. However, given that most of LockBit's members reside in Russia, authorities encountered obvious jurisdiction issues there, otherwise a greater number of arrests may have been made.

Some mystery has shrouded LockBit's operation since the initial takedown attempt. Its leader, Khoroshev, who was initially expected to be unmasked in February, remained anonymous, created a new leak blog, and continued to claim responsibility for attacks. The efforts to take the gang down appeared to be largely fruitless.

Many of the attacks claimed by LockBit post-bust, however, were found to be republications of previous incidents, some of which were years old. The NCA also said it believes some of the attacks claimed after the February disruption were actually carried out by rival ransomware gangs.

Despite Khoroshev's attempts to rebuild the operation, LockBit remains significantly disrupted. Per the NCA, LockBit is "running at limited capacity" and its global threat has been "significantly reduced."

Before the February disruption, the NCA said today, after delving into the records made accessible by the takedown, more than 7,000 attacks were built using LockBit's tools between June 2022 and February 2024.

The attacks targeted more than 100 hospitals and healthcare companies, and at least 2,110 victims began negotiations with the criminals.

The NCA said: "Data shows that the average number of monthly LockBit attacks has reduced by 73 percent in the UK since February's action, with other countries also reporting reductions. Attacks appear to have been carried out by less sophisticated affiliates with lower levels of impact."

Of the 194 affiliates registered with LockBit as of February, the number has fallen to 69, suggesting many have lost confidence in Khoroshev's gang and shifted their allegiances elsewhere.

UK security minister Tom Tugendhat said: "Cybercriminals think they are untouchable, hiding behind anonymous accounts as they try to extort money from their victims.

"By exposing one of the leaders of LockBit, we are sending a clear message to these callous criminals. You cannot hide. You will face justice." ®

https://www.theregister.com//2024/05/07/lockbit_kingpin_unmasked/