On Tuesday, US and British authorities revealed that the mastermind behind LockBit, one of the most prolific and damaging ransomware groups in history, is a 31-year-old Russian named Dmitry Yuryevich Khoroshev, aka “LockbitSupp.”
As is typical in these types of announcements, law enforcement published photos of Khoroshev, as well as details of his group’s operations. The US Department of Justice has charged Khoroshev with several computer crimes, fraud and extortion. In doing so, the federal government also revealed some details about LockBit’s past operations.
Earlier this year, authorities seized LockBit’s infrastructure and the gang’s data banks, revealing key details about how LockBit operates.
Today, we have more details about what the federal government has called “a massive criminal organization that has sometimes ranked as the most prolific and destructive ransomware group in the world.”
Here’s what we learned from Khoroshev’s indictment.
Khoroshev had a second nickname: putinkrab
The leader of LockBit was publicly known by the unimaginative nickname LockBitSupp. But Khoroshev also had another online identity: putinkrab. The indictment contains no information about the online handle, although it appears to refer to Russian President Vladimir Putin. On the Internet, however, several profiles use the same nickname on Flickr, YouTube and Reddit, although it is unclear whether these accounts were managed by Khoroshev.
LockBit also caused victims in Russia
In the world of Russian cybercrime, experts say, there is a sacred, unwritten rule: Hack anyone outside of Russia and local authorities will leave you alone. Surprisingly, according to the feds, Khoroshev and his co-conspirators “also deployed LockBit against multiple Russian victims.”
Whether this means Russian authorities will go after Khoroshev remains to be seen, but at least they now know who he is.
Khoroshev closely monitored his affiliates
Ransomware operations like LockBit are known as ransomware-as-a-service. That means there are developers who create the software and infrastructure, like Khoroshev, and then there are affiliates who operate and deploy the software, infecting victims and extorting ransoms. Affiliates paid Khoroshev about 20 percent of their income, authorities said.
According to the indictment, this business model allowed Khoroshev to “closely” monitor his affiliates, including having access to and sometimes participating in negotiations with victims. Khoroshev even “demanded identification documents from his Coconspirators affiliates, which he also kept on his infrastructure.” This is likely how law enforcement was able to identify some of Lockbit’s affiliates.
Khoroshev also developed a tool called “StealBit” that complements the main ransomware. This tool allowed affiliates to store data stolen from victims on Khoroshev’s servers, and sometimes publish it on LockBit’s official dark web leak site.
LockBit Ransomware Payouts Total About $500 Million
LockBit was launched in 2020, and since then its affiliates have successfully extorted at least around $500 million from around 2,500 victims, including “large multinational corporations, small businesses, and individuals, and they included hospitals, schools, nonprofits, critical infrastructure, and government and law enforcement.
In addition to paying ransoms, LockBit “caused damage worldwide totaling billions of US dollars” because the gang disrupted victims’ operations and forced many of them to pay for response and recovery services. recovery in the event of an incident, federal authorities said.
Khoroshev contacted authorities to identify some of his affiliates
Probably the most shocking of the latest revelations: In February, after the coalition of global law enforcement agencies took down LockBit’s website and infrastructure, Khoroshev “communicated with law enforcement and offered his services in exchange for information regarding the identity of its (ransomware-as-a-service) competitors.
According to the indictment, Khoroshev asked law enforcement to “give me the names of my enemies.”
techcrunch
