What we learned from the indictment of LockBit’s mastermind
On Tuesday, U.S. and U.K. authorities revealed that the mastermind behind LockBit, one of the most prolific and damaging ransomware groups in history, is a 31-year-old Russian named Dmitry Yuryevich Khoroshev, aka "LockbitSupp."
As it’s customary in these types of announcements, law enforcement published pictures of Khoroshev, as well as details of his group’s operation. The U.S. Department of Justice charged Khoroshev with several computer crimes, fraud, and extortion. And in the process, the feds also revealed some details about LockBit’s past operations.
Earlier this year, authorities seized LockBit’s infrastructure and the gang's banks of data, revealing key details of how LockBit worked.
Today, we have more details of what the feds called “a massive criminal organization that has, at times, ranked as the most prolific and destructive ransomware group in the world.”
Here’s what we’ve learned from the Khoroshev indictment.
Khoroshev had a second nickname: putinkrab
LockBit’s leader was publicly known by the not-very-imaginative nickname LockBitSupp. But Khoroshev also had another online identity: putinkrab. The indictment doesn’t include any information about the online handle, though it appears to reference Russian President Vladimir Putin. On the internet, however, several profiles using the same moniker on Flickr, YouTube, and Reddit, though it’s unclear if these accounts were run by Khoroshev.
LockBit hit victims in Russia, too
In the world of Russian cybercrime, according to experts, there’s a sacred, unwritten rule: hack anyone outside of Russia, and the local authorities will leave you alone. Surprisingly, according to the feds, Khoroshev and his co-conspirators “also deployed LockBit against multiple Russian victims.”
It remains to be seen if this means Russian authorities will go after Khoroshev, but at least now they know who he is.
https://twitter.com/NCA_UK/status/1787845496574222782
Khoroshev kept a close eye on his affiliates
Ransomware operations like LockBit are known as ransomware-as-a-service. That means there are developers who create the software and the infrastructure, like Khoroshev, and then there are affiliates who operate and deploy the software, infecting victims, and extorting ransoms. Affiliates paid Khoroshev around 20% of their proceedings, the feds claimed.
According to the indictment, this business model allowed Khoroshev to “closely” monitor his affiliates, including having access to victim negotiations and sometimes participating in them. Khoroshev even “demanded identification documents from his affiliate Coconspirators, which he also maintained on his infrastructure.” That’s probably how law enforcement was able to identify some of Lockbit’s affiliates.
Khoroshev also developed a tool called “StealBit” that complemented the main ransomware. This tool allowed affiliates to store data stolen from victims on Khoroshev’s servers, and sometimes publish it on LockBit’s official dark web leak site.
LockBit’s ransomware payments amounted to around $500 million
LockBit launched in 2020, and since then its affiliates have successfully extorted at least approximately $500 million from around 2,500 victims, which included “major multinational corporations to small businesses and individuals, and they included hospitals, schools, nonprofit organizations, critical infrastructure facilities, and government and law-enforcement agencies.”
Apart from the ransom payments, LockBit “caused damage around the world totaling billions in U.S. dollars,” because the gang disrupted victims' operations and forced many to pay incident response and recovery services, the feds claimed.
Khoroshev got in touch with the authorities to identify some of his affiliates
Probably the most shocking of the latest revelations: In February, after the coalition of global law enforcement agencies took down LockBit’s website and infrastructure, Khoroshev “communicated with law enforcement and offered his services in exchange for information regarding the identity of his [ransomware-as-a-service] competitors.”
According to the indictment, Khoroshev asked law enforcement to “[g]ive me the names of my enemies.”