LockBit Leader Identity Revealed - Legitimate or Troll?
Widely recognised as one of the most prolific ransomware groups in the world, Lockbit first surfaced in 2019 as ABCD ransomware. Since first detected, the ‘ransomware-as-a-service’ group has released two major updates to the ransomware. The gang was credited for nearly 21% of all ransomware attacks in 2023. The LockBit ransomware has been known to gain initial access through various means. These include exploiting vulnerable Remote Desktop Protocol (RDP) servers or purchasing compromised credentials from their affiliates. Additionally, they have been known to use phishing emails with malicious attachments or links, as well as brute-forcing weak RDP credentials. Upon gaining access to the victim’s machine and escalating privilege, the malware replaces the desktop wallpaper with a ransom note.
With over 2000 victims and nearly half a billion dollars extorted, the ransomware gang has been on the radar of several law enforcement agencies for a while. On February 19, 2024, as a part of Operation Cronos, the National Crime Agency, along with Europol and other international law enforcement agencies, took control of darknet websites that belonged to the LockBit ransomware gang. After the successful takedown of 34 servers in several countries across Europe and the US, a decryptor was developed for LockBit 3.0 and made available for free use. The group has proven resilient, with the malware still spreading as of February 22, 2024.
On May 7, 2023, the United States Department of Justice unveiled the leader of the Lockbit ransomware group. Identified as a Russian national named Dmitry Khoroshev, the DoJ has placed a sanction on the alleged leader of the group and has offered up to $10,000,000 in rewards for information leading to his arrest or conviction. Also known by the moniker LockBitSupp, the actions targeting Khoroshev include asset freezes and travel bans. The charges filed against Khoroshev named him as the developer and administrator of LockBit since September 2019. However, the group has released several statements claiming the FBI is lying. The group leader had previously claimed in February that the government’s access to LockBit’s operations was largely exaggerated. In a statement to an X (fka Twitter) account vx-underground, the gang’s administrator said “I don’t understand why they’re putting on this little show. They’re clearly upset we continue to work.” After the alleged identity of the LockBit leader was revealed, the group made a statement to the FBI saying they had the wrong person.
Since the inception of ‘Operation Cronos’, several individuals have been arrested for alleged connection to the LockBit gang. A father-son duo was arrested in Poland and Ukraine in February 2024 for affiliations to the gang. In 2023, the US also arrested and charged a number of Russian nationals for involvement with LockBit including Mikhail Matveev aka Wazawaka, m1x, and Boriselcin (May 2023), and Mikhail Vasiliev (November 2022).
The takedown of the LockBit ransomware operation by international law enforcement agencies is a significant achievement in the fight against cybercrime. While the group’s leader and some of its members have been identified and arrested, it remains to be seen if the group will be completely dismantled. However, the group continued claim that the authorities had the wrong person, casts a shadow of doubt on the true identity of the gang’s leader.
