US and UK Authorities Identify, Sanction and Unseal Indictment Against Leader of LockBit Ransomware Group

TRM InsightsInsights
US and UK Authorities Identify, Sanction and Unseal Indictment Against Leader of LockBit Ransomware Group

Today, the United States and the United Kingdom designated Dmitry Yuryevich Khoroshev, a Russian national and a leader of the Russia-based LockBit group, for his role in developing and distributing LockBit ransomware.

The designation is the result of cooperation and collaboration between the U.S. Treasury, U.S. State Department, the U.S. Department of Justice, Federal Bureau of Investigation, the United Kingdom’s National Crime Agency, the Australian Federal Police, and other international partners. 

Concurrently, the Department of Justice unsealed an indictment and the Department of State announced a reward offer for information leading to the arrest and/or conviction of Khoroshev.

This designation follows several other recent U.S. Government actions against Russian cybercriminals involved in ransomware, including the disruption of the LockBit ransomware infrastructure and sanctions against LockBit group affiliates. 

LockBit is one of the most prolific ransomware groups in the world. The group has had unprecedented impact on businesses and critical infrastructure across the globe, using a Ransomware-as-a-Service (RaaS) model to conduct thousands of attacks and extort victims for large ransom payments in cryptocurrency. Through on-chain analysis, TRM estimates that addresses controlled by LockBit administrators and affiliates have received over GBP 160 million (or USD 200 million) in bitcoin since 2022, of which over 85 million GBP (or 110 million USD) are still unspent in multiple addresses on-chain.

OFAC adds crypto address associated with Khoroshev to sanctions list

In addition to designating Khoroshev today, US Treasury’s Office of Foreign Assets Control also added – XBT bc1qvhnfknw852ephxyc5hm4q520zmvf9maphetc9z – a cryptocurrency address associated with Khoroshev to the sanctions list today.

According to TRM Labs, the address sanctioned by OFAC is associated with hundreds of other addresses connected to Khoroshev. Khoroshev moved funds through a peeling chain, making multiple deposits to different global exchanges.

TRM’s graph visualizer showing the address sanctioned by OFAC.

TRM graph visualizer showing a large peeling chain connected to sanctioned address bc1qvhnfknw852ephxyc5hm4q520zmvf9maphetc9z
TRM’s graph visualizer showing Khuroshev sending funds in a peeling chain and cashing out at global exchanges

Khoroshev’s role as LockBit leader and developer

According to today’s designation, Khoroshev is the primary operator of the well-known and public-facing LockBit-related cybercrime moniker, “LockBitSupp.” As a core LockBit group leader and developer of the LockBit ransomware, Khoroshev has performed a variety of operational and administrative roles for the cybercrime group, and has benefited financially from the LockBit ransomware attacks. In addition, Khoroshev has facilitated the upgrading of the LockBit infrastructure, recruited new developers for the ransomware, and managed LockBit affiliates. He is also responsible for LockBit’s efforts to continue operations after their disruption by the U.S. and its allies earlier this year.

Dmitry Yuryevich Khoroshev (Khoroshev), a Russian national and a leader of LockBit
Photo of Khoroshev from OFAC press release

LockBit’s economic impact 

Since January 2020, LockBit has been the most deployed ransomware variant in the world, with affiliates targeting organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. Some of LockBit’s notable attacks include those on Entrust (June 2022), the Italian Revenue Agency (July 2022), the Royal Mail (January 2023), IBM (May 2023), Carthage Area Hospital & the Clayton-Hepburn Medical Center (September 2023), and Boeing (November 2023).

The economic cost of such attacks extends well beyond the initial ransom payment to include losses from disrupted operations and reputational damage. IBM’s Cost of a Data Breach Report 2023 has estimated that the average cost of a data breach caused by a ransomware attack, not including the ransom payment, is USD 4.45 million. LockBit has committed over 2000 confirmed attacks, suggesting that its economic impact could be over USD 8 billion. 

LockBit has evolved from ABCD to LockBit Green

LockBit emerged in 2019 as an evolution of ABCD ransomware. Its versions have evolved over the years - from LockBit to LockBit 2.0, also known as LockBit Red, to LockBit 3.0, also known as LockBit Black, to LockBit Green, which incorporates source code from Conti ransomware. This most recent variant features a bug bounty program, privacy enhanced cryptocurrencies (e.g. Zcash), and novel extortion methods, incorporating strategies from the BlackMatter and DarkSide ransomware operations. This version, equipped with anti-detection techniques and passwordless execution, also introduced Denial-of-Service attacks to expand LockBit’s capabilities and tactics for extorting victims.

LockBit has scaled its impact with affiliate incentives 

LockBit’s operating model as a RaaS group has been a key driver for the scale of impact and notoriety the group has achieved. LockBit has distinguished itself in the RaaS market through how it has incentivized affiliates to use LockBit tools and infrastructure to execute attacks. These incentives have included ensuring that affiliates receive their share of ransom payments first, rewarding promotional activity and public critiques of competing RaaS platforms, and simplifying ransomware deployment with user-friendly interfaces.

LockBit Tactics, Techniques, and Procedures (TTPs)

LockBit ransomware attacks have typically involved initial access by exploiting vulnerabilities, phishing, or brute-forcing Remote Desktop Protocols. Once inside a network, LockBit actors have used tools like PowerShell Empire, Cobalt Strike, and PsExec for lateral movement and to prepare for encryption. They often delete logs to hinder the victim’s ability to recover. LockBit actors, along with ransomware strains like Rorschach and Babuk, then frequently use a technique called intermittent encryption, targeting only parts of files for faster, more efficient attacks. By minimizing the duration of the visible attack phase, attackers improve their likelihood of success against cybersecurity defenses.

After LockBit encrypts data, the threat actors direct victims to pay a ransom for decryption keys. The ransomware group also operates a leak site where it publishes information about its victims. This site is used as part of a double-extortion tactic: if a victim refuses to pay the ransom, LockBit threatens to release their stolen data on this public platform. The leak site serves as a tool for pressuring victims into complying with ransom demands by exposing sensitive information to the public, thereby increasing the reputational and operational risks for affected organizations.

LockBit has used Bitcoin as the primary cryptocurrency used to facilitate ransom payments, but with the evolution of LockBit 3.0, the group has introduced privacy enhanced payment options such as ZCash for both collecting from victims and paying its affiliates.

On-chain analysis of LockBit activity highlights the group’s operating structure, where victims’ initial ransom payments undergo a financial split: 80% go to the LockBit affiliate, and 20% goes to LockBit’s administrators. LockBit operators have subsequently used Wasabi 2.0 to mix funds and multiple non-custodial exchanges and centralized VASPs in the United States and Asia to launder victim funds.

TRM Graph showing initial ransom payments and 80/20 financial split between LockBit affiliates and administrators.

TRM Graph showing laundering of a 13M USD ransom payment across multiple VASPs

TRM Graph showing laundering of ransom proceeds using multiple smaller cashouts on multiple VASPs

The Role of Blockchain Intelligence in Disrupting Ransomware 

Today’s disruption continues the series of disruptions that law enforcement agencies across the world have prioritized as RaaS continues to pose a threat to citizens and businesses. Given the ever-evolving nature and the unrelenting economic toll of this threat, we expect to continue to see a strong focus on disrupting ransomware threat actors. 

While ransomware groups may evolve TTPs and names, the blockchain remains an immutable ledger. Blockchain Intelligence tools will continue to play a key role in enabling seizures and stopping bad actors. 

TRM is proud to support the Treasury, DOJ, NCA and law enforcement agencies worldwide in their ongoing efforts to safeguard the integrity of our financial systems.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.