Authorities have unmasked the leader of the LockBit ransomware group following an international law enforcement disruption campaign led by the UK’s National Crime Agency (NCA).
In an announcement today, the NCA revealed sanctions have been imposed on Russian national Dmitry Khoroshev, who the agency described as the “administrator and developer of the LockBit ransomware group”.
Khoroshev, also known by the alias ‘LockBitSupp’, will now be subject to asset freezes and travel bans following the law enforcement operation.
The NCA revealed US partners have also offered a reward of up to $10 million for information leading to his arrest and conviction.
The $10 million reward offered by US authorities matches what Khoroshev previously offered to those who could reveal his identity.
NCA director general Graeme Biggar said the sanctions are “hugely significant” and serve as a warning to cyber criminals that there is “no hiding place”.
“He was certain he could remain anonymous, but he was wrong,” Biggar said.
“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community. The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.”
“Another huge nail in the LockBit coffin”
The move by law enforcement follows a major global operation led by the NCA, FBI and international partners, known as ‘Operation Cronos’.
In February, the NCA revealed it had infiltrated the group’s network and taken control of its leak site on the dark web. This operation, authorities said, compromised the “entire criminal enterprise”.
Data obtained from LockBit systems in the wake of the takedown showed that between June 2022 and February 2024 more than 7,000 attacks were waged using their services.
Since then, the group has attempted to rebuild. However, the NCA said that as a result of this operation, the group has been running at “limited capacity” and that threats posed by LockBit have reduced markedly.
“LockBit have created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains,” the NCA said in a statement.
“Data shows that the average number of monthly LockBit attacks has reduced by 73% in the UK since February’s action, with other countries also reporting reductions. Attacks appear to have been carried out by less sophisticated affiliates with lower levels of impact.”
Hailing the move, Biggar said law enforcement efforts to track down members of the gang will continue.
Authorities will also ramp up targeting of affiliate groups who have used LockBit services to conduct ransomware attacks.
“Working with our international partners, we will use all the tools at our disposal to target other groups like LockBit, expose their leadership and undermine their operations to protect the public,” Biggar said.
