In an unexpected turn of events, LockBitSupp, the administrator of the notorious LockBit ransomware group, responded publicly to the Federal Bureau of Investigation (FBI) and international law enforcement's efforts to identify and apprehend him. After bringing back previously seized domains, law enforcement identified Dmitry Yuryevich Khoroshev as the mastermind behind the LockBit operations in an earlier public announcement. This was followed by official sanctions issued by the U.S., U.K., and Australia, accompanied by 26 criminal charges ranging from extortion to hacking, collectively carrying a potential maximum sentence of 185 years imprisonment. The Justice Department has also offered a staggering $10 million reward for information leading to Khoroshev's capture. However, LockBitSupp denied the allegations and attempted to turn the situation into a peculiar contest on the group's remaining leak site.

LockBitSupp Opens Contest to Seek Contact with Individual

The Lockbit admin made a post within the group's leak site about a new contest (contest.omg) in order to encourage individuals to attempt to contact Dmitry Yuryevich Khoroshev. The announcement asserts that the FBI is wrong in its assessment and that the named individual is not LockBitSupp. The announcement seems to try and attribute the alleged identification mistake as a result of an unfortunate cryptocurrency mixing with the ransomware admin's own cryptocurrency funds, which they claim must have attracted the attention of the FBI. Cryptocurrency mixing is activity done to blend different streams of potentially identifiable cryptocurrency to provide further anonymity of transactions. The contest, brazenly invites participants to reach out to the individual believed to be Dmitry Yuryevich Khoroshev and report back on his wellbeing for $1000. The ransomware admin then claimed that the first person to provide evidence such as videos, photos, or screenshots confirming contact with the the "poor guy," as LockBitSupp refers to him, would receive the reward. [caption id="attachment_67621" align="alignnone" width="1055"] Source: X.com (@RedHatPentester)[/caption] Participants were instructed to send their findings through the encrypted messaging platform Tox, using a specific Tox ID provided by LockBitSupp.

LockBitSupp Shares Details of Named Individual

In addition to the contest details, LockBitSupp shared multiple links to LockBit-associated file-sharing services on the dark web, presumably for individuals to archive gathered details and submit as contest entries. They also listed extensive personal details alleged to belong to Dmitry Khoroshev, including email addresses, a Bitcoin wallet address,  passport and tax identification numbers Amid the defiance and contest announcement, LockBitSupp expressed concern for the well-being of the person they claim has been mistakenly identified as them, urging Dmitry Yuryevich Khoroshev, if alive and aware of the announcement, to make contact. This unusual move by LockBitSupp attempts to challenge the statement made by law enforcement agencies and underscores the complex dynamics of the cyber underworld, where hackers taunt their pursuers openly. LockBitSupp emphasized that the contest will remain relevant as long as the announcement is visible on the blog. The admin hinted that there may be similar contests in the future with more substantial rewards, urging followers to stay tuned for updates. The announcement was uploaded and last updated on May 9, 2024, UTC, leaving the public and the cybersecurity community watching closely for further developments. In a recent indictment Khoroshev was identified to behind LockBit's operations and functioned as the group's administrator since September 2019. Khoroshev and the LockBit group was stated to have extorted at least $500 million from victims in 120 countries across the world. Khoroshev was stated to have received around $100m from his part in this activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.

Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in a 26-count indictment by a grand jury in New Jersey.

“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” U.S. Attorney Philip R. Sellinger said in a statement released by the Justice Department.

The indictment alleges Khoroshev acted as the LockBit ransomware group’s developer and administrator from its inception in September 2019 through May 2024, and that he typically received a 20 percent share of each ransom payment extorted from LockBit victims.

The government says LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.

“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ said. “The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”

The unmasking of LockBitSupp comes nearly three months after U.S. and U.K. authorities seized the darknet websites run by LockBit, retrofitting it with press releases about the law enforcement action and free tools to help LockBit victims decrypt infected systems.

One of the blog captions that authorities left on the seized site was a teaser page that read, “Who is LockbitSupp?,” which promised to reveal the true identity of the ransomware group leader. That item featured a countdown clock until the big reveal, but when the site’s timer expired no such details were offered.

Following the FBI’s raid, LockBitSupp took to Russian cybercrime forums to assure his partners and affiliates that the ransomware operation was still fully operational. LockBitSupp also raised another set of darknet websites that soon promised to release data stolen from a number of LockBit victims ransomed prior to the FBI raid.

One of the victims LockBitSupp continued extorting was Fulton County, Ga. Following the FBI raid, LockbitSupp vowed to release sensitive documents stolen from the county court system unless paid a ransom demand before LockBit’s countdown timer expired. But when Fulton County officials refused to pay and the timer expired, no stolen records were ever published. Experts said it was likely the FBI had in fact seized all of LockBit’s stolen data.

LockBitSupp also bragged that their real identity would never be revealed, and at one point offered to pay $10 million to anyone who could discover their real name.

KrebsOnSecurity has been in intermittent contact with LockBitSupp for several months over the course of reporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware group leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong guy.

“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”

LockBitSupp, who now has a $10 million bounty for his arrest from the U.S. Department of State, has been known to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims — requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a promise to delete data stolen from its victims.

But Justice Department officials say LockBit never deleted its victim data, regardless of whether those organizations paid a ransom to keep the information from being published on LockBit’s victim shaming website.

Khoroshev is the sixth person officially indicted as active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.

Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.

Matveev remains at large, presumably still in Russia. Meanwhile, the U.S. Department of State has a standing $10 million reward offer for information leading to Matveev’s arrest.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF).

In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

The Justice Department is urging victims targeted by LockBit to contact the FBI at https://lockbitvictims.ic3.gov/ to file an official complaint, and to determine whether affected systems can be successfully decrypted.