The FBI, UK National Crime Agency, and Europol have unveiled sweeping indictments and sanctions against the admin of the LockBit ransomware operation, with the identity of the Russian threat actor revealed for the first time.

According to a new indictment by the US Department of Justice and a press release by the NCA, the LockBit ransomware operator known as 'LockBitSupp' and 'putinkrab' has been confirmed to be a Russian national named Dmitry Yuryevich Khoroshev, 31, of Voronezh, Russia, who reportedly earned $100 million as part of the gang's activities.

"The sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury's Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs," announced the National Crime Agency.

"Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans."

Today's announcements also include sanctions against Khoroshev, including asset freezes and travel bans. 

"The administrator and developer of LockBit, a Russian national, is now subject to aseries of asset freezes and travel bans issued by the UK Foreign, Commonwealth and Development Office, alongside the US Department of the Treasury's Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs and Trade," reads an announcement from Europol.

These sanctions will cause massive disruptions to the ransomware operation as paying a ransom could potentially break sanctions and impose government fines on companies.

In the past, similar sanctions caused some ransomware negotiators to no longer assist in ransom payments for sanctioned ransomware operations.

The US also offers a $10 million reward for information leading to LockBitSupp's arrest and/or conviction as part of the Rewards for Justice program.

Law enforcement also announced that its hacking and seizure of LockBit infrastructure allowed them to gain more decryption keys than previously announced.

Five other LockBit members have been charged by the US government, including Artur Sungatov, Ivan Kondratyev (Bassterlord), Ruslan Magomedovich Astamirov, Mikhail Matveev (Wazawaka), and Mikhail Vasiliev.

Mikhail Vasiliev was previously arrested and sentenced to four years in prison, while Ruslan Astamirov is in custody awaiting trial.

The rise and fall of LockBit

The LockBit ransomware-as-a-service (Raas) operation launched in September 2019, first calling itself 'ABCD,' and later rebranding as LockBit.

The cybercrime operation developed and maintained the encryptor and Tor negotiation and data leak sites and recruited affiliates, or "adverts," to hack corporate networks, steal data, and encrypt devices.

As part of this arrangement, the LockBit operators earned around 20% of any ransom payments, with the affiliate keeping the rest.

The operation is run by the very public operator known as LockBitSupp, now known to be Khoroshev, who frequented Russian-speaking hacking forums and revelled in talking to journalists and researchers about his criminal enteprise.

While originally claiming to operate from China, today's revelations come as no surprise to learn that LockBitSupp is a Russian national.

LockBit soon became the largest and most active ransomware operation, with a constant stream of new victims announced by the gang's data leak site and 194 affiliates up until February 2024.

However, in February, the ransomware gang suffered a major disruption after a law enforcement action known as 'Operation Cronos' took down LockBit's infrastructure, including 34 servers hosting the data leak website, its mirrors, and the affiliate panel. The action also allowed law enforcement to recover data stolen from the victims, cryptocurrency addresses, decryption keys, and a host of other information about the gang.

While law enforcement originally stated that they were able to obtain 1,000 decryption keys as part of Operation Cronos, today's announcement reveals that they were able to obtain an additional 1,500 decryption keys and are continuing to assist LockBit victims in recovering their files for free.

Analyzing the seized data, the UK's National Crime Agency says LockBit was responsible for extorting $1 billion from thousands of companies worldwide, with the DOJ saying that Khoroshev and his affiliates extorted over $500 million in ransom payments.

Between June 2022 and February 2024, law enforcement claims that the ransomware operation conducted over 7,000 attacks, with the top five countries hit being the US, the UK, France, Germany, and China.

LockBit continues to operate today, targeting new victims and recently releasing a massive amount of old and new data. However, the NCA reports that Operation Cronos led to a mass exodus of affiliates, causing the number of active members to drop from 194 to 69 as the threat actors lost trust in leadership.

While LockBitSupp will likely attempt to retaliate against the US and UK authorities by leaking more sensitive data stolen from victims, this is likely a last gasp of air as the ransomware enters its final days.

Since 2012, when the first modern ransomware known as ACCDFISA began encrypting victims, followed by the infamous CryptoLocker, there has been a constant rotation of the same threat actors operating under different ransomware names.

While these law enforcement actions may cause the LockBit ransomware operation to shut down, we will likely see the same threat actors continue their activity under a new name in the future.