US officials have uncovered and indicted the ringleader of LockBit, a widespread ransomware operation that has extorted victims out of half a billion dollars. He is facing over two dozen criminal charges.
According to a 26-count indictment released on Tuesday, Dmitry Khoroshev, 31, served as LockBit's "developer and administrator," overseeing code development and recruiting affiliates to execute the ransomware on its victims.
The alleged cybercriminal got 20% of each ransom payment for his role in the operation, totaling $100 million in cryptocurrency over four years, the US Justice Department noted.
“Today’s indictment…continues the FBI’s ongoing disruption of the BlockBit criminal ecosystem,” FBI Director Christopher Wray noted in the statement.
Since its founding in 2019, LockBit has allegedly defrauded at least 2,500 individuals across more than 120 countries of at least $500 million in extortion. The U.S. Justice Department noted in its statement that it is also accountable for several billions of dollars' worth of "broader losses" linked to lost profits, incident responses, and ransom recoveries.
In the indictment, US investigators demanded that Khoroshev surrender his $100 million share of the ill-gotten gains. Meanwhile, the UK, United States, and Australia have sanctioned the mastermind, freezing his assets and prohibiting him from travelling. The US State Department is offering a $10 million prize for information that leads to Khoroshev's capture.
The latest charge comes several months after authorities took steps to shut down the ransomware operation. In February, international law enforcement confiscated LockBit's infrastructure, thereby halting operations. Around the same time, US authorities prosecuted two Russian cybercriminals using Lockbit ransomware to target a number of businesses and organisations.
LockBit's rebuild issue
The group's attempt to rebuild over the last few months looks to be failing, with the gang still operating at a low capacity and its new leak site being used to publicise victims targeted prior to the takedown, as well as to claim credit for the crimes of others.
According to the NCA's most recent data, the frequency of monthly LockBit assaults in the UK has decreased by 73% since late February, and those that do occur are carried out by less sophisticated attackers with far lower impact.
“Since Operation Cronos took disruptive action, LockBit has been battling to reassert its dominance and, most importantly, its credibility within the cyber criminal community,” stated Don Smith, vice-president of SecureWorks’ Counter Threat Unit.