Getty Images

Authorities identify, sanction LockBit ransomware ringleader

After weeks of waiting, authorities in the U.S., the U.K. and Australia publicly identified 'LockBitSupp,' the mysterious operator behind the prolific LockBit ransomware gang.

In a series of indictments and sanctions, authorities from the U.S., the U.K. and Australia publicly identified the ringleader of the notorious LockBit ransomware gang known as "LockBitSupp."

The U.S. Department of Justice (DOJ) unsealed a 26-count criminal indictment against Russian national Dimitry Yuryevich Khoroshev, 31, on Tuesday for allegedly developing the ransomware code and running the ransomware as a service (RaaS) operation since LockBit's inception in 2019. In addition, the U.S. Treasury Department's Office of Foreign Assets Control; the U.K.'s Foreign, Commonwealth and Development Office; and Australia's Department of Foreign Affairs and Trade imposed sanctions on Khoroshev.

The identity of the LockBitSupp administrator persona was a mystery until recently. In February, a joint law enforcement operation dubbed "Operation Cronos," led by the U.K.'s National Crime Agency, disrupted LockBit's network and seized the gang's dark web sites, infrastructure, source code and encryption keys. Following the takedown, authorities used the seized domains to essentially troll the gang's members by posting information about the possible identity of LockBitSupp, though they stopped short of naming the individual.

LockBit was far and away the most prolific ransomware gang on the threat landscape in recent years, according to research from various cybersecurity companies. As LockBit's alleged ringleader, Khoroshev typically received a 20% share of each ransom payment victims made, according to the DOJ. Authorities said LockBit racked up more than 2,500 victims since 2019 and extorted them for at least $500 million in ransom payments, with Khoroshev allegedly pocketing $100 million alone.

Photo of Dimitry Yuryevich Khoroshev, aka 'LockBitSupp.'
Authorities in the U.S., the U.K. and Australia identified Dimitry Yuryevich Khoroshev as 'LockBitSupp,' the ringleader of the LockBit ransomware gang.

"Today's indictment of LockBit developer and operator Dimitry Yuryevich Khoroshev continues the FBI's ongoing disruption of the LockBit criminal ecosystem," FBI Director Christopher Wray said in the DOJ announcement. "The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals. The charges announced today reflect the FBI's unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable."

Khoroshev is the sixth individual the DOJ has indicted as part of its LockBit investigation. In November 2022, dual Canadian-Russian national Mikhail Vasiliev was arrested and charged for participating in the RaaS operation. In May 2023, Russian national Mikhail Matveev was charged for using several ransomware variants, including LockBit, in various attacks. In June, Russian national Ruslan Magomedovich Astamirov was charged with deploying LockBit ransomware attacks. And in February, as part of Operation Cronos, Russian nationals Artur Sungatov and Ivan Kondratyev were also charged with deploying LockBit attacks.

The charges and sanctions against Khoroshev come during RSA Conference 2024 in San Francisco, where several public- and private-sector leaders have spoken about the need to increase law enforcement actions against threat actors. For example, during his keynote Monday afternoon, Mandiant CEO Kevin Mandia talked about the importance of imposing risks and consequences on cybercriminals.

"The conclusion when looking at the last 12 months of incidents is it doesn't feel like there's a lot of risks or repercussions to compromising the enterprises that we see globally," he said. "We need to have attribution and to impose risk."

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing