In a coordinated effort, the US, UK, Australian authorities and Europol have revealed indictments and sanctions against the administrator of the notorious LockBit ransomware operation. For the first time, the identity of the Russian threat actor behind the alias 'LockBitSupp' and ‘putincrab’ has been disclosed, identified as Dmitry Yuryevich Khoroshev.

The unveiling comes following a new indictment by the US Department of Justice (DoJ) and a press release by the NCA, confirming Khoroshev's association with LockBitSupp.

According to the indictment, Khoroshev allegedly was the mastermind behind the LockBit ransomware group, acting as both developer and administrator since its inception in September 2019 until May 2024.

LockBit ransomware-as-a-service (RaaS) operation targeted over 2,500 victims spanning 120 countries, including individuals, small enterprises, multinational corporations, vital institutions like hospitals and schools, nonprofit entities, critical infrastructure, as well as governmental and law enforcement agencies. Khoroshev and his co-conspirators extorted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses.

Khoroshev orchestrated LockBit's operations, officials say. He oversaw the development of the ransomware code itself, recruited and organized affiliates responsible for deploying LockBit against targets, and maintained the infrastructure. This infrastructure included a control panel, providing affiliates with the necessary tools to execute LockBit attacks. Additionally, Khoroshev managed LockBit's public-facing “data leak site.”

The indictment alleges that as the LockBit developer Khoroshev typically received a 20% share from each ransom payment extorted from victims, while the remaining 80% was allocated to the affiliate orchestrating the attack. Khoroshev purportedly amassed at least $100 million in digital currency from his developer shares of LockBit ransom payments.

In addition to charges, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs have imposed sanctions on Khoroshev, which means he will now be subject to a series of asset freezes and travel bans.

Furthermore, the United States has announced a $10 million reward for information leading to LockBitSupp's arrest or conviction under the Rewards for Justice program.

The LockBit ransomware operation was disrupted in February 2024 as a result of a global law enforcement effort. The law enforcement operation led to the arrest of several alleged LockBit affiliates in Ukraine and Poland. Additionally, 34 LockBit servers were seized, and more than 14,000 online and web hosting accounts associated with previous LockBit attacks were identified and shut down. Furthermore, authorities took control of over 200 cryptocurrency accounts linked to LockBit.

The UK's National Crime Agency (NCA) took the lead in the operation, seizing LockBit's infrastructure, including its leak site used for publishing stolen data from ransomware victims. Moreover, over 1,000 decryption keys were obtained, enabling law enforcement to develop a decryption tool accessible through Europol’s “NoMoreRansom” platform.

In parallel, US authorities unsealed an indictment against two Russian nationals, Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, for their alleged involvement in deploying LockBit ransomware against multiple victims. Kondratyev faces additional charges related to operating the REvil/Sodinikibi ransomware. Both individuals have been sanctioned by the US Department of Treasury's Office of Foreign Assets Control.