Revealing the Identity of the Alleged Mastermind Behind LockBit Ransomware

Matt Burgess

Law enforcement in the United States, United Kingdom, and Australia today jointly named Russian national Dmitry Yuryevich Khoroshev as the alleged operator of the LockBitSupp handle and the organizational mastermind behind the notorious LockBit ransomware group, which has been on a multiyear hacking rampage exporting more than $120 million from its victims.

For years, the leader of LockBit has remained an enigma. Carefully hiding behind their online moniker, LockBitSupp has evaded identification and bragged that people wouldn’t be able to reveal their offline identity—even offering a $10 million reward for their real name.

Law enforcement’s linking of Khoroshev to LockBitSupp comes after police in the UK infiltrated the LockBit group’s systems and made several arrests—taking its servers offline, gathering the group’s internal communications, and putting a stop to LockBit’s hacking spree. The law enforcement takedown, dubbed Operation Cronos and led by the UK’s National Crime Agency (NCA), has essentially neutralized the hacking group and sent ripples through the wider Russian cybercrime ecosystem.

In addition to being named, Khoroshev has also been sanctioned by the US, UK, and Australia. According to the US Office of Foreign Assets Control, Khoroshev is 31 and lives in Russia, with details of his sanction designation also listing multiple email addresses and cryptocurrency addresses, alongside his Russian passport details.

Before the takedown earlier this year, LockBit had risen to become one of the most prolific ransomware groups ever, launching hundreds of attacks per month and ruthlessly publishing stolen data from companies if they refused to pay. Boeing, the UK’s Royal Mail postal service, a children’s hospital in Canada, and the Industrial and Commercial Bank of China were all included in LockBit’s or its affiliates’ recent roster of victims.

Investigators are also starting to unpick more details about the scale and scope of LockBit’s operations. The NCA’s senior investigating officer, who is not being publicly named due to their continued involvement in the operation, says LockBit listed 2,350 victims publicly on its leak site up to the end of December 2023, but that this is just a small fraction of its hacking activity.

Within its system, there were 7,000 “attack builds” for unique victims, the investigator says. More than 100 hospitals were listed, despite LockBit having internal rules not to target medical facilities. “When they said we will fire the individual publicly for doing that, they didn’t fire the individual,” the investigator says.

Kate O’Flaherty

Matt Simon

Alistair Charlton

Dan Gearino

“If you are a cyber criminal, and you are operating in these marketplaces, or forums or platforms, you cannot be certain that law enforcement are not in there observing you and taking action against you,” says Paul Foster, the head of the NCA’s National Cyber Crime Unit.

LockBit first emerged in 2019 as a fledgling “ransomware-as-a-service” (RaaS) platform. Under this setup, a core handful of individuals, organized by the LockBitSupp handle, created the group’s easy-to-use malware and launched its leak website. This group licenses LockBit’s code to “affiliate” hackers who launched attacks and negotiated ransom payments, eventually providing LockBit with around 20 percent of their profits.

Despite launching thousands of attacks, the group initially tried to keep a low profile compared to other ransomware groups. Over time, as LockBit became more well known and started to dominate the cybercrime ecosystem, its members became more brazen and arguably careless. The NCA senior investigator says they pulled data about 194 affiliates from LockBit’s systems and are piecing together their offline identities—only 114 of them didn’t make any money, the investigator says. “There were some that were incompetent and didn’t carry out attacks,” they say.

At the center of it all was the LockBitSupp persona. The NCA investigator says there were “numerous” examples of the LockBit administrator directly “taking responsibility” for high-profile or high-ransom negotiations after affiliates had initially attacked the companies or organizations.

Jon DiMaggio, a researcher at cybersecurity firm Analyst1, has spent years researching LockBit and communicating with the LockBitSupp handle. “He treated it like a business and often sought out feedback from his affiliate partners on how he could make the criminal operation more effective,” DiMaggio says. The LockBitSupp character would ask affiliates what they needed in order to more effectively do their work, the researcher says.

“He did not simply take money for himself, but he reinvested it into developing his operation and making it more desirable to criminals,” DiMaggio says. Throughout the lifecycle of the LockBit group, two major updates and releases of its malware happened, with each more capable and easier to use than the last. Analysis from the law enforcement operation by security company Trend Micro shows it was working on a new version too.

DiMaggio says the person he was speaking to privately using the LockBitSupp moniker was “arrogant” but “all business and very serious”—aside from sending cat stickers as part of chats. Publicly, on Russian language cybercrime forums where hackers trade data and discuss hacking politics and news, LockBitSupp was entirely different, DiMaggio says.

“The persona he amplified on the Russian hacking forums was a mix of a supervillain and Tony Montana from Scarface,” DiMaggio says. “He flaunted his success and money, and it rubbed people the wrong way at times.”

Not only did LockBitSupp put a bounty on their own identity, they also displayed their more innovative and erratic tendencies by organizing an essay-writing contest on the hacking forums. They offered a “bug bounty” for anyone who could find mistakes in LockBit’s code. They even stated that they would give $1,000 to anyone who got a tattoo of the LockBit logo. Approximately 20 individuals posted images and videos of their tattoos.

Written by Kate O’Flaherty

Matt Simon

Alistair Charlton

Dan Gearino

LockBitSupp was banned from two prominent Russian-language cybercrime forums in January after a complaint was made about their behavior. “They’ve made partners, supporters, haters, and fans over the years,” says Victoria Kivilevich, director of threat research at security firm KELA.

Analysis of cybercrime forums by Kivilevich shows the Russian-language ecosystems had mixed responses, including surprise when LockBit was first compromised by law enforcement. “Users gloating that LockBit finally failed and got what he deserved, making references to his statements where he bragged about how LockBit ‘RaaS’ is secure and better than any other operations,” Kivilevich says.

Other forum users questioned the technical decisions of LockBitSupp and whether they had collaborated with law enforcement, the researcher says. There were forum users who reacted neutrally, “mostly saying the operation won’t affect LockBit much and the operation will continue to exist,” Kivilevich says.

After Operation Cronos took LockBit offline in February, it took LockBitSupp only five days to create replica versions of the group’s leak site. The website then started to be filled with apparent victims; it seemed like the LockBit group hadn’t been impacted by having all of its internal secrets accessed by police around the world.

These recently posted victims aren’t what they seem, though, multiple experts say. “The actual law enforcement intervention has been significant,” says Matt Hull, the global head of threat intelligence at cybersecurity firm NCC Group.

On top of this, much of the credibility of the LockBit brand has been destroyed. Hull says he is seeing smaller ransomware affiliates and groups “really starting to distance themselves” from LockBit and moving around other RaaS operations. “It’s unlikely that we’ll see another big name like LockBit appearing with those sorts of numbers unless there’s some massive rebranding or some sudden change in allegiance toward the individuals behind LockBit,” Hull says.

As for LockBitSupp, it’s unlikely they’ll respond well to being publicly identified. When Operation Cronos took down LockBit’s systems in February, police repurposed its leak website to publish details about the group itself. Ahead of law enforcement naming Khoroshev, a countdown appeared on the website, and LockBitSupp responded by publishing scores of victims.

“LockBitSupp has a lot of enemies and people waiting to take his place,” says DiMaggio, the Analyst1 researcher, who adds it is unlikely they will stop their actions, although it will be harder to continue. “It is much easier to be a bad guy when no one knows who you are. His reputation is shot and that will be very difficult to come back from.”

This is a developing story. Check back for more details.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

Cisco Announces Splunk Integrations and Hypershield Upgrades at RSA Event

Next Article

OpenAI Extends Olive Branch to Artists Hesitant to Fuel AI Algorithms

Related Posts