U.S. charges architect of LockBit ransomware in major cyber crackdown

The United States Department of Justice has charged Dmitry Yuryevich Khoroshev, accusing him of creating and operating the LockBit ransomware, which has been described as one of the most productive and destructive digital extortion tools in the world.

The Verge reports that Khoroshev played a crucial role in LockBit's operations since the group's emergence in September 2019. In just a few years, it has victimized over 2,500 victims from at least 120 countries, earning the group, under Khoroshev's leadership, revenues of at least $500 million from ransoms.

LockBit operated on the principle of "ransomware as a service," allowing cybercriminals to rent software to attack victims. This software was linked to several high-profile attacks on UK mail, a children's hospital, and the small Canadian town of St. Marys in Ontario. As The Verge reports, in February of this year, U.S. and UK services seized the websites and servers used by LockBit, securing keys that could assist organizations in regaining access to their data.

Alongside Khoroshev, Arthur Sungatov and Ivan Kondratyev were also charged with using LockBit to target victims in the USA.

Khoroshev, who took 20% of every ransom and managed the data leak site, is now facing 26 charges, including conspiracy to commit fraud and eight counts of extortion involving the destruction of legally protected computers. He could be sentenced to up to 185 years if found guilty of all charges. The United States Department of Justice has also announced a reward of $10 million for information leading to his capture. The U.S. Attorney for the District of New Jersey, Philip R. Sellinger, highlighted that this is a pivotal moment in the investigation against LockBit members, including Khoroshev, which has interrupted the group's operations and resulted in the indictment of two members.

Despite significant law enforcement efforts, the LockBit ransomware group remains active. Recent actions by the FBI and Europol aimed to dismantle the group's infrastructure and disrupt its operations. These efforts included seizing servers, intercepting key infrastructure components, and transforming the group's data leak site into a law enforcement press portal, significantly impairing LockBit's functionality.

During the operation, the group's online infrastructure within the United States was eliminated, offering victims of the ransomware decryption keys to recover encrypted data without paying a ransom. Unfortunately, despite these measures, the group's dark websites remain online, and the damage caused by past attacks cannot be reversed.