By SDCN Editor
The U.S. Justice Department unsealed charges Tuesday against a Russian man for his alleged role as the creator, developer, and administrator of the LockBit ransomware group from its inception in September 2019 through the present. At times, LockBit was the most prolific ransomware group in the world.
Dimitry Yuryevich Khoroshev, also known as LockBitSupp, LockBit, and putinkrab, 31, of Voronezh, Russia, was charged by a 26-count indictment returned by a grand jury in the District of New Jersey.
The indictment against Khoroshev follows a recent disruption of LockBit ransomware in February by the U.K. National Crime Agency’s (NCA) Cyber Division, which worked in cooperation with the Justice Department, FBI, and other international law enforcement partners.
As previously announced by the department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data. That disruption greatly diminished LockBit’s reputation and ability to attack further victims, as alleged by the indictment.
“Earlier this year, the Justice Department and our U.K. law enforcement partners disrupted LockBit, a ransomware group responsible for attacks on victims across the United States and around the world,” said Attorney General Merrick Garland. “Today we are going a step further, charging the individual who we allege developed and administered this malicious cyber scheme, which has targeted over 2,000 victims and stolen more than $100 million in ransomware payments.”
“The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals,” said FBI Director Christopher Wray.
In addition, law enforcement developed decryption capabilities that may enable hundreds of victims worldwide to restore systems encrypted using the LockBit ransomware variant.
According to the indictment and other documents previously unsealed in the District of New Jersey, Khoroshev allegedly acted as the LockBit ransomware group’s developer and administrator from its inception from September 2019 through May 2024. Khoroshev and his affiliate co-conspirators, grew LockBit into what was, at times, the most active and destructive ransomware variant in the world. The LockBit ransomware group attacked over 2,500 victims in at least 120 countries, including 1,800 victims in the United States. LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery.
Khoroshev allegedly designed LockBit to operate in the “ransomware-as-a-service” (RaaS) model. In his role as the LockBit developer and administrator, Khoroshev arranged for the design of the LockBit ransomware code itself, recruited other LockBit members—called affiliates—to deploy it against victims, and maintained the LockBit infrastructure, including an online software dashboard called a “control panel” to provide the affiliates with the tools necessary to deploy LockBit. Khoroshev also maintained LockBit’s public-facing website—called a “data leak site”—for the publication of data stolen from victims who refused to pay a ransom.
As alleged in the indictment, Khoroshev—as the LockBit developer—typically received a 20% share of each ransom payment extorted from LockBit victims. The affiliate responsible for an attack would receive the remaining 80%. During the scheme, Khoroshev alone allegedly received at least $100 million in disbursements of digital currency through his developer shares of LockBit ransom payments.
LockBit infrastructure seized by law enforcement through the February 2024 disruption allegedly showed that Khoroshev retained copies of data stolen from LockBit victims who had paid the demanded ransom.
Khoroshev and his affiliate co-conspirators had falsely promised those victims that their stolen data would be deleted after payment. Moreover, after the February 2024 disruption, Khoroshev allegedly communicated with law enforcement and urged them to disclose the identities of his RaaS competitors—whom Khoroshev called his “enemies”—in exchange for his services.
Khoroshev is charged with one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion of confidential information from a protected computer; and eight counts of extortion to damage to a protected computer. In total, those charges carry a maximum penalty of 185 years in prison. Each of the 26 counts charged by the indictment also carries a maximum fine of the greatest of $250,000, pecuniary gain to the offender, or pecuniary harm to the victim.
With the indictment unsealed, six LockBit members have been charged for their participation in the LockBit conspiracy.
In February 2024, an indictment was unsealed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries.
In June 2023, a criminal complaint was filed in the District of New Jersey charging Ruslan Magomedovich Astamirov, a Russian national, in connection with his participation in the LockBit group. Astamirov is currently in custody awaiting trial.
In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Mikhail Matveev, also known as “Wazawaka,” “m1x,” “Boriselcin,” and “Uhodiransomwar,” with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C., Metropolitan Police Department. Matveev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program, with information accepted through the FBI tip website at tips.fbi.gov/.
In November 2022, a criminal complaint was filed in the District of New Jersey charging Mikhail Vasiliev in connection with his participation in the LockBit ransomware group. Vasiliev, a dual Russian-Canadian national, is currently in custody in Canada awaiting extradition to the United States.
The FBI Newark Field Office is investigating the LockBit ransomware variant.
Victims targeted by this malware are encouraged to contact the FBI at https://lockbitvictims.ic3.gov/ to enable law enforcement to determine whether affected systems can be successfully decrypted.