The U.S. Justice Department on May 7 unsealed charges against a Russian national for his alleged role as the creator, developer and administrator of LockBit, arguably one of the most prolific ransomware gangs and an early pioneer of the ransomware-as-a-service (RaaS) model.
In a 26-count indictment by a grand jury in the District of New Jersey, the filing said that since September 2019, Dimitry Yuryevich Khoroshev, 31, of Voronezh, Russia, the LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.
While no arrest was made, Khoroshev will be subject to a series of asset freezes and travel bans.
According to the indictment, Khoroshev was charged with one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion in relation to confidential information from a protected computer; and eight counts of extortion in relation to damage to a protected computer. In total, the charges carry a maximum penalty of 185 years in prison.
LockBit’s victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. Some prominent targets include the Thales Group, the Toronto Hospital for Sick Children, and the U.S. subsidiary of the Chinese state-owned Industrial and Commercial Bank of China.
Khoroshev and his co-conspirators yielded at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery, according to the indictment.
“Today’s indictment of LockBit developer and operator Dimitry Yuryevich Khoroshev continues the FBI’s ongoing disruption of the LockBit criminal ecosystem,” said FBI Director Christopher Wray. “The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals. The charges announced today reflect the FBI’s unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable.”
The indictment of Khoroshev follows many months and years of international law enforcement efforts to take LockBit down. Earlier this year, a taskforce of 17 agencies including the FBI, the UK’s National Crime Agency (NCA), and Europol took control of key LockBit infrastructure including numerous dark web websites. An FBI official told Bloomberg that law enforcement from 11 countries took part in the operation, which seized 11,000 domains used by LockBit and its ransomware affiliates.
Security pros have differing views of the Khoroshev indictment
“In the same way that arresting the head of a drug empire does little to slow drugs into the U.S., this is a largely insignificant action,” said Steve Hahn, executive vice president of Americas at BullWall. “No one has been arrested. It doesn’t seem they got to his money. Sanctions only work if he travels outside of Russia, which is unlikely, but if he does, I’m sure he has multiple identities. So they’ve only identified him and nothing more.”
Hahn added that those who say the sanctions will affect his Bitcoin payments are also wildly misguided. Threat actors like this don’t use public exchanges or services like Coinbase to house their Bitcoin assets, said Hahn — they use secure private wallets which can’t be sanctioned.
“These groups often disband and reform with new identities and names, so the loss of affiliates is likely such a reorg,” said Hahn. “Just a couple of months back, the FBI claimed to have taken down BlackCat infrastructure and the hope was this would disrupt operations. In the BlackCat, event there were actual arrests and actual seizure. Days later BlackCat, was fully operational and weeks after that they facilitated the most costly ransomware attack in world history on United Healthcare.”
Sarah Jones, cyber threat analyst at Critical Start, thought that law enforcement's concentrated efforts against LockBit are likely to have a significant impact, but warned the fight is far from over. Jones said the takedown of LockBit's infrastructure and the sanctions against its leader have thrown a wrench into their operations.
“Disrupted functionality, a fractured network of affiliates wary of sanctions, and a potential decline in ransom payments due to the risk of violating regulations all paint a picture of a weakened LockBit,” said Jones. “Law enforcement's retrieval of decryption keys further aids victims in recovering their data, mitigating some of the damage caused by these attacks. This takedown also serves as a deterrent to other cybercriminal groups, highlighting the risks associated with ransomware operations. However, challenges remain. LockBit's past adaptability suggests they may attempt to rebuild their infrastructure, recruit new affiliates, or find ways to circumvent sanctions.”
Narayana Pappu, chief executive officer at Zendata, added that targeted sanctions just resulted in ransomware groups switching tactics, which was the case of Evil Corp, which caused over $100 million in losses to banks after sanctions were placed on them in 2020.
“Having said that, the sanctions increase awareness of the specific ransomware among cybersecurity professionals, help drive proactive mitigation efforts, and, to a small extent, act as a deterrent and reduce the occurrence of a particular type of ransomware incident,” said Pappu. “LockBit although prominent, did not [solely] pioneer the RaaS model — there were a couple of others, including Dharma ransomware that used this model before 2019 when LockBit started.”
For victim companies looking for recourse, law enforcement developed decryption capabilities that could potentially let hundreds of victims around the world restore systems encrypted using the LockBit ransomware variant. The Justice Department said victims targeted by the LockBit malware are encouraged to contact the FBI to enable law enforcement to determine whether affected systems can be successfully decrypted.
