The U.S. Department of Justice has charged Dmitry Yuryevich Khoroshev, a Russian national, with leading the hacker group responsible for the LockBit ransomware attacks.
The LockBit group is accused of running a ransomware-as-a-service (RaaS) operation, developing malicious code for paying customers who wish to use it for their own ends. The ransomware software could then be used to target victim computers and networks, with hackers using it to encrypt a victim’s computer files and then demand payments to decrypt and return their files.
Federal prosecutors allege Mr. Khoroshev served as the developer and administrator of the LockBit ransomware since the group’s inception in September of 2019, and has remained in this role through to the present day. Prosecutors say Mr. Khoroshev also recruited other LockBit members and maintained a website where the ransomware users could leak data belonging to victims who refused to pay ransoms.
The indictment alleges the LockBit group typically received a 20 percent commission of the proceeds from ransomware attacks using their software. Prosecutors say Mr. Khoroshev and his co-conspirators extracted at least $500 million in ransom payments and cost victims billions more in lost revenue, incident response, and recovery efforts. Mr. Khoroshev allegedly took in at least $100 million in proceeds alone.
Federal prosecutors brought the charges against Mr. Khoroshev before the U.S. District Court for New Jersey. He is charged with a count of conspiracy to commit fraud, extortion, and related activity in connection with computers; a count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion in relation to confidential information from a protected computer; and eight counts of extortion in relation to damage to a protected computer.
With the charges stacked together, Mr. Khoroshev faces a maximum penalty of 185 years in prison. The 26 charges he faces also each carry a maximum fine equal to the greatest of either $250,000, the financial gain Mr. Khoroshev allegedly received, or the financial harm his victims allegedly incurred.
While federal prosecutors unsealed their charges against Mr. Khoroshev, the Russian national remains at large. In coordination with the DOJ’s decision to announce the charges, the U.S. State Department announced a reward of up to $10 million for information that leads to his apprehension.
The U.S. Treasury Department and counterparts in the United Kingdom and Australia also announced sanctions against Mr. Khoroshev to seize any assets the Russian national may hold under their jurisdiction.
US, UK Disrupted LockBit Attack in Joint Efforts: Prosecutors
The charges against Mr. Khoroshev come as the latest step in efforts to break up the LockBit network.Canadian authorities arrested Mikhail Vasiliev, a dual Russian and Canadian national, in November 2022 in connection with the LockBit network.
In May 2023, the DOJ announced charges against another Russian national, Mikhail Pavlovich Matveev, who remains at large. As with Mr. Khoroshev, the U.S. government is offering a reward of up to $10 million for information leading to Mr. Matveev’s apprehension.
According to the new indictment against Mr. Khoroshev, U.S. and UK authorities seized control over part of the LockBit network’s infrastructure during the February operation, “rendering it practically inoperable and allowing law enforcement to review the data stored on it.
“Earlier this year, the Justice Department and our UK law enforcement partners disrupted LockBit, a ransomware group responsible for attacks on victims across the United States and around the world,” U.S. Attorney General Merrick B. Garland said Tuesday. “Today we are going a step further, charging the individual who we allege developed and administered this malicious cyber scheme, which has targeted over 2,000 victims and stolen more than $100 million in ransomware payments.”
The indictment states that after this February operation, Mr. Khoroshev attempted to revive the LockBit ransomware service network but found that LockBit’s reputation in the ransomware space had diminished following the joint U.S.-UK operation. Prosecutors allege Mr. Khoroshev eventually began communicating with U.S. investigators, offering them his services in exchange for information regarding the identities of his competitors in the criminal ransomware field.
“Today’s indictment of LockBit developer and operator Dmitry Yuryevich Khoroshev continues the FBI’s ongoing disruption of the LockBit criminal ecosystem,” FBI Director Christopher Wray said. “The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals. The charges announced today reflect the FBI’s unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable.”