COURT DOC: U.S. Charges Russian National with Developing and Operating LockBit Ransomware

“The U.S. Justice Department unsealed charges today against a Russian national for his alleged role as the creator, developer, and administrator of the LockBit ransomware group from its inception in September 2019 through the present. At times, LockBit was the most prolific ransomware group in the world.”

“Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев), also known as LockBitSupp, LockBit, and putinkrab, 31, of Voronezh, Russia, is charged by a 26-count indictment returned by a grand jury in the District of New Jersey.”

“The indictment against Khoroshev unsealed today follows a recent disruption of LockBit ransomware in February by the U.K. National Crime Agency’s (NCA) Cyber Division, which worked in cooperation with the Justice Department, FBI, and other international law enforcement partners. As previously announced by the Department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data. That disruption succeeded in greatly diminishing LockBit’s reputation and its ability to attack further victims, as alleged by the indictment unsealed today.”

Khoroshev and the LockBit Ransomware Group

“Khoroshev allegedly acted as the LockBit ransomware group’s developer and administrator from its inception in or around September 2019 through May 2024. Khoroshev and his affiliate coconspirators, grew LockBit into what was, at times, the most active and destructive ransomware variant in the world. The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States. LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery.”

“Khoroshev allegedly designed LockBit to operate in the ‘ransomware-as-a-service’ (RaaS) model. In his role as the LockBit developer and administrator, Khoroshev arranged for the design of the LockBit ransomware code itself, recruited other LockBit members—called affiliates—to deploy it against victims, and maintained the LockBit infrastructure, including an online software dashboard called a ‘control panel’ to provide the affiliates with the tools necessary to deploy LockBit. Khoroshev also maintained LockBit’s public-facing website—called a ‘data leak site’—for the publication of data stolen from victims who refused to pay a ransom.”

“As alleged in the indictment, Khoroshev—as the LockBit developer—typically received a 20% share of each ransom payment extorted from LockBit victims. The affiliate responsible for an attack would receive the remaining 80%. During the scheme, Khoroshev alone allegedly received at least $100 million in disbursements of digital currency through his developer shares of LockBit ransom payments.”

“LockBit infrastructure seized by law enforcement through the February 2024 disruption allegedly showed that Khoroshev retained copies of data stolen from LockBit victims who had paid the demanded ransom.”

“Khoroshev and his affiliate co-conspirators had falsely promised those victims that their stolen data would be deleted after payment. Moreover, after the February 2024 disruption, Khoroshev allegedly communicated with law enforcement and urged them to disclose the identities of his RaaS competitors—whom Khoroshev called his ‘enemies’—in exchange for his services.”

“Khoroshev is charged with one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion in relation to confidential information from a protected computer; and eight counts of extortion in relation to damage to a protected computer. In total, those charges carry a maximum penalty of 185 years in prison. Each of the 26 counts charged by the indictment also carries a maximum fine of the greatest of $250,000, pecuniary gain to the offender, or pecuniary harm to the victim.”

The LockBit Investigation

“With the indictment unsealed today, a total of six LockBit members have now been charged for their participation in the LockBit conspiracy:

• In February 2024, an indictment was unsealed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries.
• In June 2023, a criminal complaint was filed in the District of New Jersey charging Ruslan Magomedovich Astamirov, a Russian national, in connection with his participation in the LockBit group. Astamirov is currently in custody awaiting trial.
• In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Mikhail Matveev, also known as ‘Wazawaka,’ ‘m1x,’ ‘Boriselcin,’ and ‘Uhodiransomwar,’ with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C., Metropolitan Police Department. Matveev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program, with information accepted through the FBI tip website at tips.fbi.gov/.
• Finally, in November 2022, a criminal complaint was filed in the District of New Jersey charging Mikhail Vasiliev in connection with his participation in the LockBit ransomware group. Vasiliev, a dual Russian-Canadian national, is currently in custody in Canada awaiting extradition to the United States.” (Source: US Department of Justice)