Extortion attacks by cybercriminal gangs who steal and encrypt files continue to be one of the top threats to critical infrastructure, enterprises, governments, educational institutions and health care organizations. Countries including the U.S. and U.K. classify these ransomware attacks as national security threats due to the disruption, impacts and cost of recovery. These attacks continue to grow in scale. We observed more than 4,000 attacks in 2023, almost double the ransomware instances observed in 2022. The figure is certainly an underestimate, as it does not account for entities whose data has not been released on a data leak blog site or for which there is no public record of an attack. Nearly a quarter of those 4,000 attacks (981) can be attributed to the LockBit ransomware-as-a-service (RaaS) group, which has been described as one of the most profitable and destructive ransomware groups. This has made the group a priority for disruption by law enforcement and intelligence agencies due to the economic toll from the group’s attacks. According to the U.S. Department of Justice (DOJ), LockBit affiliate threat actors have attacked more than 2,500 victims and may have received as much as US $500 million in ransom payments.
For the second time, law enforcement has publicized its efforts to put pressure on and disrupt the LockBit group. On May 5, 2024, at 19:00 UTC, former LockBit data leak sites that were seized in a previous disruption in February 2024 (see: What Lies Ahead after LockBit’s Disruption?) came back online as law enforcement promised new information about the group’s illegal and damaging activity. The sites displayed countdown tiles in the same style as how LockBit listed ransomware victims, including short descriptions about what was planned to be revealed.
Then on May 7, 2024, U.S. DOJ officials in New Jersey unsealed a federal indictment against 31-year-old Russian national Dmitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев) for allegedly being the administrator and developer for the LockBit ransomware, for which a RaaS program started around September 2019. Khoroshev is charged with 26 counts including conspiracy to commit fraud and extortion with computers, conspiracy to commit wire fraud, intentional damage to a protected computer, extortion related to information unlawfully obtained from a protected computer and extortion related to intentional damage of a protected computer. In tandem, the U.S., U.K. and Australia levied sanctions against Khoroshev, which prohibit financial transactions with him, block the transfer of his assets and include travel bans if he were to leave Russia.
The indictment alleges Khoroshev is the real-world identity behind the notorious actor LockBitSupp, who developed, operated and advertised LockBit ransomware. He is alleged to have pocketed upward of US $100 million of the US $500 million LockBit has collected in ransoms. Authorities allege that other associated handles for Khoroshev are putinkrab and LockBit. The Department of State also announced a reward of up to US $10 million for information that leads to the apprehension of Khoroshev. The FBI has set up confidential channels for people who may have information about Khoroshev. The agency can be reached by email at [email protected], Telegram at @LockbitRewards, Signal at @FBISupp.01 and on the Tox messenger at B0B98577F0541160C745B464E42C9AB782B036682FAD59D5F228EA75BF71691BE68A8E08BD55.
In the past 18 months, U.S. authorities have indicted five other LockBit co-conspirators who are accused of being affiliates: Mikhail Pavlovich Matveev of Russia (Wazawaka, Boriselcin); Ruslan Magomedovich Astamirov of Russia (Betterpay, Offtitan); Mikhail Vasiliev of Canada and Russia (Ghostrider, Free); Artur Sungatov of Russia; and Ivan Kondratyev of Russia (Bassterlord, FishEye). In LockBit’s program, affiliates paid 20% of ransoms to LockBit in exchange for using its infrastructure and malware, keeping the remaining 80%. Most victims of LockBit affiliates were in Western countries. However, the indictment against Khoroshev says that although he prohibited affiliates from attacking victims inside Russia, the ransomware was nonetheless deployed against “multiple Russian victims.”
As with the first LockBit disruption in February 2024, law enforcement have collected more decryption keys from LockBit's infrastructure that can be used to help those who were attacked. Europol says more than 2,500 keys are being distributed to victims. The European Cybercrime Centre (EC3) says it has distributed 3,500 intelligence packages to 33 countries where LockBit victim organizations are located.
Other material released by law enforcement on LockBit’s data leak site sought to demonstrate that public statements made by the group were not true. In one example, a LockBit affiliate in December 2022 attacked an unnamed children’s hospital. LockBit released a statement on its data leak site apologizing for the attack, saying that the partner who conducted it would be banned from LockBit’s affiliate program. Law enforcement, however, says this was a lie and that the affiliate continued to use the LockBit malware, conducted ransom negotiations using LockBit’s infrastructure and received “multiple” ransomware payments after supposedly being banned. Although LockBit said the hospital would be provided with a free decryptor, the one provided did not work properly.
First Strike on LockBit
On Feb. 19, 2024, the U.K. National Crime Agency (NCA) in cooperation with the European Union Agency for Law Enforcement Cooperation (Europol) and other partner law enforcement agencies revealed offensive actions aimed at LockBit’s infrastructure. The task force, called Operation Cronos, hijacked LockBit’s data leak blog and control panel. LockBit’s data leak blog was then used to publish screenshots of the compromised back-end infrastructure as well as information collected by authorities from inside its systems. Authorities released the nicknames of 194 LockBit affiliate threat actors who worked with the group and also modified the affiliate control panel to warn affiliates that their criminal activity was being collected. Authorities seized around 1,000 decryption keys from LockBit’s infrastructure which were used to help victims, and a LockBit 3.0 decryption tool was also released. In total, Operation Cronos took down 34 servers in eight countries, froze more than 200 cryptocurrency accounts and led to the arrest of two LockBit actors in Poland and Ukraine. Further, three international arrest warrants and five indictments were issued by French and U.S. authorities, and over 14,000 rogue accounts linked to exfiltration and infrastructure were closed.
Past law enforcement actions against ransomware actors and groups have caused threat actors to disband their operations and regroup under new brands. Unfortunately, the action did not prove to be a fatal blow against LockBit. LockBitSupp admitted security failures within infrastructure that may have aided law enforcement, but the threat actor projected confidence and vowed to attack more government agencies in retaliation. Law enforcement indicated at the time it would reveal LockBitSupp’s identity, writing on the group’s data leak site that it knew where LockBitSupp lived, how much he was worth and that he drove a Mercedes. However, that doxxing never came to pass. Law enforcement updated the site at that time to say the threat actor “has engaged with law enforcement." Authorities elaborated on this in Khoroshev’s indictment. It reads that shortly after the first operation against LockBit, Khoroshev sought to restore LockBit’s primacy and stifle the competition in the criminal RaaS space. He purportedly “offered his services in exchange for information regarding the identity of his RaaS competitors. Specifically, Khoroshev asked law enforcement during that exchange to, in sum and substance, ‘give me the names of my enemies.’” Within a week of the initial disruption, LockBit resumed operations, launched a new data leak blog on several new Tor domains and listed new extortion victims.
Assessment
Although the first publicized action against LockBit did not eliminate the group, it did affect its tempo. Since relaunching its data leak site in late February 2024, 83 victims were posted on LockBit’s name-and-shame site. The figure is significantly fewer than the 240 victims that were recorded during the same period in 2023 but still puts the group as one of the most active threat actors in 2024. Open source research has cast some doubt on the legitimacy of some of the victims named during this period, which suggests LockBit may have tried to bolster its own reputation by claiming a higher number of attacks and thus further downplay the damage caused by law enforcement. Although not all victims are always named, the drop is stark and indicates the group may have lost affiliates due to worries over exposure to law enforcement. This exposure is a tangible risk. The U.S. indictment returned against Khoroshev says that he sometimes demanded “identification documents from his affiliate co-conspirators, which he maintained on his infrastructure.” Those documents could be in the hands of law enforcement.
This new reveal by law enforcement possibly will compound this decline. However, the unveiling of LockBitSupp’s purported real-world identity is unlikely to deter this specific actor from further criminal activity. Many ransomware groups fold after law enforcement takedowns and later form under new names, but LockBit has proved somewhat resilient. However, this latest action shows the gang is very much a focus for law enforcement. The U.S. contends that the first operation “greatly diminished” LockBit’s reputation. The U.K.’s NCA stated that although LockBit has tried to reconstitute its operations over the last two months, “they are currently running at limited capacity and the global threat from LockBit has significantly reduced.”
The highly public nature in which Operation Cronos was conducted also helps amplify the impact. The slow drip of information could cultivate additional anxiety among LockBit affiliates who possibly will lose faith in the RaaS and abandon the project. Since the initial disruption, LockBitSupp has been vocal in trying to assuage doubts and likely will seek to rebut any claims about the actor's identity. Nonetheless, this action will contribute to the degradation of LockBit’s RaaS program and remind associated threat actors that they face risks by working with LockBit.
Intel 471 would like to congratulate the NCA and partner agencies that participated in these first and second actions including Europol, London Metropolitan Police, FBI, U.S. DOJ, Dutch National Crime Unit, National Gendarmerie, State Bureau of Criminal Investigation Schleswig-Holstein, Swedish Police Authority, Australian Federal Police, Royal Canadian Mounted Police, National Police Agency, Swiss Federal Office of Police, New Zealand Police, Prosecutor General’s Office of Ukraine, Poliisi and Central Cybercrime Bureau Cracow.