A Russian national named Dmitry Yuryevich Khoroshev has hit the headlines, for all the vile reasons, as law enforcement authorities in the United States, United Kingdom, and Australia have jointly named the person as the alleged operator of the LockBitSupp handle and the organisational mastermind behind the notorious LockBit ransomware group, which has been on a multiyear hacking rampage exporting an estimated USD 500 million from its victims.
“LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment. LockBit will automatically vet for valuable targets, spread the infection, and encrypt all accessible computer systems on a network. This ransomware is used for highly targeted attacks against enterprises and other organisations,” States Kaspersky.
LockBit attackers have been on the news frequently for threatening global organisations, disrupting their operations, extorting the victims financially, stealing data and illegally publishing them on the dark web.
LockBit has transformed itself into a subclass of ransomware known as a ‘crypto virus’ due to its ability to form its ransom requests around financial payment in exchange for decryption. The element focuses mostly on enterprises and government organisations rather than individuals.
“Attacks using LockBit originally began in September 2019, when it was dubbed the “.abcd virus.” The moniker was in reference to the file extension name used when encrypting a victim’s files. Notable past targets include organisations in the United States, China, India, Indonesia, and Ukraine. Additionally, various countries throughout Europe (France, UK, Germany) have seen attacks,” Kaspersky commented.
“Viable targets are ones that will feel hindered enough by the disruption to pay a heavy sum — and have the funds to do so. As such, this can result in sprawling attacks against large enterprises from healthcare to financial institutions. In its automated vetting process, it seems to also intentionally avoid attacking systems local to Russia or any other countries within the Commonwealth of Independent States. Presumably, this is to avoid prosecution in those areas,” the cybersecurity firm added further.
LockBit functions as ransomware-as-a-service (RaaS). Willing parties put a deposit down for the use of custom for-hire attacks, and profit under an affiliate framework. Ransom payments are divided between the LockBit developer team and the attacking affiliates, who receive up to three-fourths of the ransom funds.
How LockBit hit the news?
As recent as May 2024, reports emerged about the cybercriminals targeting American aviation giant Boeing using the LockBit ransomware platform in October 2023, during which these threat actors also demanded a $200 million extortion payment.
Boeing reportedly did not pay any ransom to LockBit after roughly 43 gigabytes of company data was posted to LockBit’s website in November 2023, according to BleepingComputer. Boeing, however, confirmed a “cyber incident” and said the incident was impacting elements of its parts and distribution business. The company refrained from commenting publicly in detail about the incident. However, they eventually admitted the episode during a US Justice Department indictment, which identified Dmitry Yuryevich Khoroshev as the main administrator and developer behind the LockBit ransomware operation.
“The reference in the indictment to the unnamed company (read Boeing) was an example of the ‘extremely large’ ransom demands made by Khoroshev and his co-conspirators, as they racked up more than $500 million in ransoms paid by victims since late 2019 or early 2020,” Cyberscoop reported further.
“I believe this may be the second biggest ransom demand to date — or, perhaps more accurately, to have become public knowledge,” said Brett Callow, a ransomware analyst with the cybersecurity firm Emsisoft, while interacting with Cyberscoop.
Callow said that it was “unlikely” that LockBit “had the ability to accurately determine just how sensitive that data was — or how much Boeing may be willing to pay to prevent it being published — and so made a ridiculously high demand simply to see what would happen. They probably had no realistic expectation of actually being paid that amount.”
LockBitSupp, the online persona that communicates with journalists and others online on behalf of LockBit, also confirmed to CyberScoop that Boeing was the unnamed company.
“US and British law enforcement authorities said that Khoroshev is LockBitSupp. A message posted to LockBitSupp’s account on the messaging platform said the authorities identified the wrong person,” Cyberscoop commented further.
Meet Dmitry Yuryevich Khoroshev
Has LockBitSupp played a mind game by stating Khoroshev as the “Wrong Person?” There is no definitive answer to this question, except the fact that the Russian individual we are talking about has been named by the American and British law enforcement authorities behind the LockBit ransomware attacks.
The Wired states, “LockBitSupp has evaded identification and bragged that people wouldn’t be able to reveal their offline identity—even offering a $10 million reward for their real name.”
Law enforcement’s linking of Khoroshev to LockBitSupp comes after the UK police infiltrated the LockBit group’s systems and made several arrests—taking its servers offline, gathering the group’s internal communications, and putting a stop to LockBit’s hacking spree. The law enforcement takedown, dubbed “Operation Cronos” and led by the UK’s National Crime Agency (NCA), has essentially neutralised the hacking group and sent ripples through the wider Russian cybercrime ecosystem. Not only Boeing, LockBitSupp even targeted sandwich chain Subway.
In addition to being named, Khoroshev has also been sanctioned by the US, UK, and Australia. According to the United States Office of Foreign Assets Control, Khoroshev is 31 and lives in Russia, with details of his sanction designation also listing multiple email addresses and cryptocurrency addresses, alongside his Russian passport details. Washington has also filed an indictment against him.
The indictment says Khoroshev has acted as the LockBit group’s “developer and administrator” since around September 2019, designing and developing its “control panel” used within ransomware attacks. The LockBit group managed to extort at least $500 million from victims in 120 countries, including Khoroshev’s home country Russia. The indictment further says that he received around $100 million from this activity.
In early 2024, before the crackdown by Western authorities, LockBit had risen to become one of the most prolific ransomware groups ever, launching hundreds of attacks on a monthly basis and ruthlessly publishing stolen data from companies if they refused to pay.
As per the Wired, investigators are also starting to unpick more details about the scale and scope of LockBit’s operations. An unnamed UK National Crime Agency (NCA) senior investigating officer, who is involved with the probe, says LockBit listed 2,350 victims publicly on its leak site up to the end of December 2023, but that this is just a small fraction of its hacking activity.
Judging gravity of the situation
As per Kaspersky, LockBit attacks are self-spreading in nature, when they target an organisation, meaning they don’t require manual direction from the human threat agents. The attacks don’t happen in a scattershot manner like spam malware, and the acts can be conducted through tools like Windows Powershell and Server Message Block (SMB).
During the attack stage, LockBit can self-propagate itself, meaning the malware spreads on its own. In its programming, LockBit is directed by pre-designed automated processes. This makes it unique from many other ransomware attacks that are driven by manually living in the network, sometimes for weeks, to complete reconnaissance and surveillance tasks.
“After the attacker has manually infected a single host, it can find other accessible hosts, connect them to infected ones, and share the infection using a script. This is completed and repeated entirely without human intervention,” Kaspersky described the nature of LockBit attacks exactly in these words.
“Furthermore, it uses tools in patterns that are native to nearly all Windows computer systems. Endpoint security systems have a hard time flagging malicious activity. It also hides the executable encrypting file by disguising it as the common .PNG image file format, further deceiving system defences,” it added further.
Breaking down the stages of LockBit attacks, the initial breach looks much like other malware attacks. An organisation may be exploited by social engineering tactics like phishing, in which attackers impersonate trusted personnel or authorities to request access credentials. Equally viable is the use of brute force attacks on an organization’s intranet servers and network systems. Without proper network configuration, attack probes may only take a few days to complete. Once LockBit makes its way into the network, the ransomware prepares the system to release its encrypting payload across every device it can.
In stage two, LockBit infiltrates deeper to complete the attack setup if needed. From here onwards, the LockBit programme directs all activity independently.
“It is at this stage that LockBit will take any preparative actions before deploying the encryption portion of the ransomware. This includes disabling security programmes and any other infrastructure that could permit system recovery,” it continued further, while adding, “the goal of infiltration is to make unassisted recovery impossible, or slow enough that succumbing to the attacker’s ransom is the only practical solution. When the victim is desperate to get operations back to normal, this is when they will pay the ransom fee.”
In the third stage, the malware deploys the encryption payload. Once the network has been prepared for LockBit to be fully mobilised, the ransomware will begin its propagation across any machine it can touch. A single system unit with high access can issue commands to other network units to download LockBit and run it.
The encryption portion will place a “lock” on all the system files. Victims will only be able to unlock their systems via a custom key created by LockBit’s proprietary decryption tool. The process also leaves copies of a simple ransom note text file in every system folder. It provides the victim with instructions to restore their system and has even included threatening blackmail in some LockBit versions.
“With all the stages completed, the next steps are left up to the victim. They may decide to contact LockBit’s support desk and pay the ransom. However, following their demands is not advised. Victims have no guarantee that the attackers will follow through on their end of the bargain,” Kaspersky remarked.
Rise of LockBit
The malware first emerged in 2019 as a fledgling “ransomware-as-a-service” (RaaS) platform. Under this setup, a core handful of individuals, organised by the LockBitSupp handle, created the group’s easy-to-use malware and launched its leak website. This particular group is still reportedly licencing LockBit’s code to “affiliate” hackers who launch attacks and negotiate ransom payments, eventually providing LockBit with around 20% of their profits.
Despite launching thousands of attacks, the group, in its starting days, maintained a low-profile, compared to other threat actors. Over time, as the malware started to dominate the cybercrime ecosystem, its members became more brazen and careless. As per an unnamed NCA senior investigator, these individuals pulled data about 194 affiliates from LockBit’s systems and were piecing together their offline identities.
The NCA investigator further pointed out “numerous” examples of the LockBit administrator directly “taking responsibility” for high-profile/high-ransom negotiations after affiliates had initially attacked the companies or organisations.
The US DOJ indictment claims Khoroshev, as LockBitSupp, kept a close track of his affiliates, keeping databases of each affiliate and the victims they had targeted. In some cases, the Russian demanded identification documents from his affiliate co-conspirators, which he also maintained on his infrastructure.
Jon DiMaggio, a researcher at cybersecurity firm Analyst1, who has been aggressively researching LockBit, apart from communicating with the LockBitSupp handle, told Wired, “He (Khoroshev) treated it like a business and often sought out feedback from his affiliate partners on how he could make the criminal operation more effective.”
“The LockBitSupp character would ask affiliates what they needed in order to more effectively do their work. He did not simply take money for himself, but he reinvested it into developing his operation and making it more desirable to criminals,” DiMaggio noted.
DiMaggio says the person he was speaking to privately using the LockBitSupp moniker was “arrogant but all business and very serious,” apart from sending cat stickers as part of chats.
“Publicly, on Russian language cybercrime forums where hackers trade data and discuss hacking politics and news, LockBitSupp was entirely different. The persona he amplified on the Russia hacking forums was a mix of a supervillain and Tony Montana from Scarface. He flaunted his success and money, and it rubbed people the wrong way at times,” DiMaggio continued further.
“In addition to setting a bounty on their own identity, LockBitSupp’s more innovative and erratic side also organised an essay-writing competition on the hacking forums, offered a bug bounty if people found flaws in LockBit’s code, and said they would pay $1,000 to anyone who got the LockBit logo as a tattoo. Around 20 people posted pictures and videos of their tattoos,” Wired continued.
Immediately after law enforcement claimed to reveal LockBitSupp’s identity, DiMaggio published new research about Khoroshev. Using a tip he received, plus open source intelligence and leaked dark web information, DiMaggio found social media profiles and extra personal information allegedly linked to the Russian national.
LockBitSupp was reportedly banned from two prominent Russian-language cybercrime forums in January 2024 after a complaint was made about their behaviour.
And the downfall finally came
In February 2024, an international task force of law-enforcement agencies from 10 countries, dubbed “Operation Cronos,” disrupted LockBit’s operations. LockBit’s technical infrastructure and its public-facing leak site on the dark web were seized after a months-long operation.
On 20 February, the NCA published details of the operation, and replaced content on the LockBit website, with an expose on LockBit’s operations and capabilities, including decryption keys, news of two arrests and a $10 million reward for information on ‘LockBitSupp’.
However, the battle was far from over, as it took LockBitSupp only five days to create replica versions of the group’s leak site. The website then started to be filled with apparent victims and it seemed like the LockBit group hadn’t been impacted by having all of its internal secrets accessed by Law enforcement agencies.
The NCA says the number of LockBit affiliates has dropped to 69 since its February takedown, while the DOJ indictment says LockBit’s victim count has “greatly diminished” since then.
What to expect now?
As per the DOJ indictment, post “Operation Cronos,” Khoroshev got in touch with law enforcement, in an attempt to “stifle his competition.”
“He offered his services in exchange for information regarding the identity of his RaaS competitors. Specifically, Khoroshev asked law enforcement during that exchange to, in sum and substance, give me the names of my enemies,” the indictment mentioned further.
Ahead of law enforcement naming Khoroshev, a countdown appeared on the website, and LockBitSupp responded by publishing scores of victims.
“LockBitSupp has a lot of enemies and people waiting to take his place,” said DiMaggio, the Analyst1 researcher, while adding that the group would unlikely stop their actions.
As per the NCA, the task force has seized LockBit’s bespoke data exfiltration tool, Stealbit, which was based in three countries and used to steal data, as well as 28 servers belonging to the group’s affiliates.
Europol, on the other hand, coordinated the arrest of two LockBit members in Poland and Ukraine and froze 200 cryptocurrency accounts linked to the group.
In the United States, indictment charges were brought against Russian nationals Artur Sungatov and Ivan Kondratyev, aka ‘Bassterlord’, for using LockBit against businesses globally.
Operation Cronos has also obtained more than 1,000 decryption keys, which can help victims recover their data. All these coordinated actions from the legal authorities are hitting LockBit hard. How long will the group remain defiant? Let’s wait and watch.