A Russian citizen has been pinned as a leader of notorious ransom gang Lockbit, earning himself financial sanctions, travel bans and bounty-like measures across the UK, US and Australia.
On Tuesday, the Australian government named Dmitry Khoroshev as a senior leader of Lockbit, the prolific ransomware group which has been at war with global authorities through most of 2024.
Described as a “prolific criminal ransomware group” which works to “destabilise and disrupt key sectors for financial gain”, Lockbit has posed a significant threat in Australia where it accounted for 18% of reported Australian ransomware incidents in 2022-23.
In addition to identifying 31-year-old Russian citizen Khoroshev, Australia’s government has also hit the alleged criminal with both a travel ban and targeted financial sanction.
Marking the second use of Australia’s autonomous cyber sanctions framework – the first of which was leveraged against another Russian hacker for the historical 2022 data breach at health insurer Medibank – the sanction makes it a criminal offence to provide assets or deal with assets belonging to Khoroshev.
Cyber Security Minister Clare O’Neil described the sanction as “an important step in breaking the ransomware business model”, stating it will prevent cyber criminals from “profiting from attacks on Australian citizens and businesses.”
“For too long, criminals like those behind Lockbit have hidden in the shadows,” said O’Neil.
“Our government is changing that.
“[We’re] hunting down cyber criminals by working with our international partners to hack the hackers and punishing them where we can.”
The announcement comes as part of Operation Cronos, a joint disruption effort involving the Australian Signals Directorate, the Australian Federal Police, and global authorities from ten other countries.
The operation has further seen Khoroshev identified and sanctioned in both the UK and US, with the US Department of State offering a reward of up $15.2 million ($US10 million) for information leading to Khoroshev’s arrest and/or conviction.
Though it remains unclear whether Lockbit will persist in the face of these actions, the US Treasury Department described Khoroshev as a group leader and developer of Lockbit, performing such crucial tasks as infrastructure upgrades, recruitment, and management of the group’s criminal affiliates under its Ransomware-as-a-Service (RaaS) model.
Delivering the final blow
After heading multiple high-profile attacks against critical infrastructure organisations – including a massively disruptive 2023 incident at UK mail delivery service Royal Mail – Lockbit drew enough ire from international authorities to warrant server takedowns, multiple arrests, and a jail sentence.
Authorities have been eager to put a pin in the Lockbit saga, with the UK’s National Crime Agency (NCA) on Tuesday decisively stating Lockbit “was once the world’s most harmful cybercrime group”, however the gang continues to post new victims to its dark web site as recently as 7 May – including an April listing for a prominent operator of Australian call centres, OracleCMS.
The NCA has assessed as a result of Operation Cronos, Lockbit is “currently running at limited capacity” with many of its recently published victims having been targeted prior to the NCA taking control of the gang’s services.
Meanwhile, under the pseudonym “LockBitSupp”, Khoroshev has publicly downplayed efforts against the gang and threatened increased attacks, all-the-while boasting about lavish yacht rides and stating “what doesn’t kill me makes me stronger”.
Alexander Leslie, threat intelligence analyst at cybersecurity company Recorded Future, told Information Age sanctioning Khoroshev is “an effective way to cripple Lockbit from the top-down”, explaining Lockbit is dependent on an affiliate model which relies “entirely on affiliates to conduct attacks under the Lockbit ‘brand’”.
“These actions sow distrust amongst affiliates, and trust is the most important commodity that ransomware groups possess,” Leslie explained.
“If their affiliates refuse to work under their banner, then the business model collapses.
“It is no longer viable, nor scalable.”
In an assessment released Tuesday, cyber threat intelligence company Intel471 observed the international actions against Lockbit have significantly lowered its known victim-count, suggesting the group may have lost affiliates due to “worries over exposure to law enforcement”.
“This new reveal by law enforcement possibly will compound this decline,” wrote Intel471.
“Since the initial disruption, LockBitSupp has been vocal in trying to assuage doubts and likely will seek to rebut any claims about the actor's identity.
“Nonetheless, this action will contribute to the degradation of Lockbit’s RaaS program and remind associated threat actors that they face risks by working with Lockbit.”