The US Department of Justice (DOJ) has accused Dmitry Khoroshev, a 31-year-old Russian national, of being the leader behind LockBit ransomware.
LockBit’s “mastermind” faces 26 criminal charges related to computer fraud, extortion, and damaging computer systems. Given the current climate, he may do some serious time in jail.
Discovered in 2020, LockBit is a program criminals use to extort money from victims by locking them out of their computer systems.
The gang steals sensitive data, extorts victims by threatening to leak it, and has targeted thousands of organizations across various industries in the US alone, including financial services, food, schools, transportation, and government agencies.
Well Designed Hacks
Khoroshev allegedly created and managed LockBit software. He recruited other criminals to carry out the ransomware attacks. According to the indictment, he received a 20% cut of the ransom payments collected by his affiliates.
The gang allegedly operated from 2019 to 2024, targeting around 2,500 victims, mostly in the US, and extorting an estimated $500 million. Khoroshev is believed to have profited around $100 million from LockBit’s activities.
Khoroshev was indicted on 26 criminal charges, including fraud, extortion, and computer crimes. He now faces a potential sentence of 185 years in prison.
Most of LockBit’s infrastructure was seized by law enforcement. Five other members have been charged with crimes related to LockBit. One member, Mikhail Vasiliev, has been sentenced to 4 years in prison.
However, the group’s leader still continues to operate it, as he revealed.in an interview with The Record last month.
In efforts to arrest Khoroshev, the DOJ has sanctioned him, freezing his assets and prohibiting US citizens from doing business with him. In addition, the US authorities are offering a $10 million reward for information leading to Khoroshev’s arrest.
Ransomware Attacks Surge
According to Chainanalysis’ report, ransomware attacks remained a major cyber threat in 2023, with the number of victims surging by 70%. However, the attacks that involved payments were down 46%.
LockBit, together with Qakbot and BlackCat, was seen as a notable ransomware gang.
LockBit is a RaaS (Ransomware-as-a-Service) that allows anyone to launch cyberattacks using their software. It was highly successful, responsible for a large portion of ransomware attacks.
In February 2024, a major international operation took control of LockBit’s infrastructure, seized their hacking tools and stolen data, and even recovered decryption keys for victims. They also arrested some members and sanctioned others, as mentioned above.
After the FBI and global law enforcement agencies disrupted LockBit’s operations, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has added to its sanctions list a number of cryptocurrency wallets belonging to two Russian citizens identified as being involved in the world’s largest cybercrime organization, LockBit.
Despite this claim, LockBit maintains that its operation is not affected by backup servers. Therefore, the complete dismantling of the gang seems unlikely.
However, the widespread disruption significantly hurt LockBit’s ability to operate. They lost trust in their group and their ability to recruit new attackers.
Following the US OFAC’s action, the world’s largest stablecoin issuer, Tether, also added LockBit-related addresses to its blacklist. Tether has a history of complying with OFAC sanctions, previously freezing 161 wallets on similar lists.
Despite regulatory efforts to take down ransomware groups, ransomware actors are adaptable and can quickly switch tactics. For instance, LockBit’s leader claims they’ll continue and there are signs of them restarting attacks, possibly with new versions of their ransomware.
Ransomware attackers often use Bitcoin because it’s difficult to trace. While Bitcoin is gaining popularity with businesses, it’s also been used for illegal activities for years.
Previously, using cryptocurrency for illegal activities was difficult. However, with Bitcoin’s growing popularity, it’s easier for hackers to profit from ransomware attacks. There’s a concern that it could lead to more ransomware attacks.
