Administrator of ransomware operation LockBit named, charged, has assets frozen

The suspected creator and administrator of the notorious LockBit ransomware-as-a-service operation was indicted Tuesday in the United States on more than two dozen criminal charges. In addition, the US, UK, and Australian governments have frozen some of his assets and issued travel bans against him.

According to announcements by the UK National Crime Agency (NCA) and the US Department of Justice, the administrator known as LockBitSupp is alleged to be Dimitry Yuryevich Khoroshev, a 31-year-old Russian national from the city of Voronezh.

Other identities used by Khoroshev while allegedly managing the ransomware operation, hiring developers, and recruiting affiliates included LockBit and putinkrab.

In February, the NCA, working with the FBI, Europol and law enforcement agencies from several other countries, managed to disrupt the LockBit operations by seizing its websites and servers. The information obtained from that effort, dubbed Operation Cronos, led to the identification of several LockBit affiliates, as well as the user named LockBitSupp, who was believed to be the creator and administrator of the notorious ransomware service.

$10-million reward offered for information leading to arrest

The UK Foreign, Commonwealth and Development Office together with the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs and Trade have issued sanctions against Khoroshev, while the US State Department put up a $10-million reward for information leading to his arrest.

“As a result of today’s action, all property and interests in property of this individual that are in the United States or in the possession or control of US persons must be blocked and reported to OFAC,” the US Treasury said in a press release.

“OFAC’s regulations generally prohibit all dealings by US persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked persons. In addition, persons that engage in certain transactions with the individual designated today may themselves be exposed to designation.”

Sanctions may affect ability of victims to pay ransoms

The effect of these sanctions might also impact the ability of victims to make ransom payments to LockBit, and by extension Khoroshev, which has attempted to keep the ransomware operation going after the disruption in February. That said, authorities obtained over 2,500 decryption keys that are being distributed to ransomware victims through the NoMoreRansom Project.

LockBit has been the top ransomware by number of attacks for the past several years. According to the NCA, data recovered by authorities from the seized servers show that between June 2022 and February 2024, LockBit ransomware was used in over 7,000 attacks which resulted in 2,110 victims engaging in some level of negotiation with the gang and its affiliates. The service had 194 affiliates of which 119 negotiated with victims. It’s estimated that victims paid over $120 million.