CVE-2023-40000 – WordPress LiteSpeed Cache Plugin Vulnerability Exploit in the Wild
May 8, 2024Multiple SonicWall GMS Virtual Appliance Zero-Day Vulnerability
May 8, 2024CVE-2023-40000 – WordPress LiteSpeed Cache Plugin Vulnerability Exploit in the Wild
May 8, 2024Multiple SonicWall GMS Virtual Appliance Zero-Day Vulnerability
May 8, 2024Severity
High
For the first time, the identity of the Russian threat actor behind the LockBit ransomware operation has been made public through a series of broad indictments and sanctions released by the FBI, UK National Crime Agency, and Europol against the operation's administrator.
The LockBit ransomware operator known as "LockBitSupp" and "putinkrab" has been identified as Dmitry Yuryevich Khoroshev, aged 31 from Voronezh, Russia, according to a press release from the NCA and a new indictment by the US Department of Justice. Khoroshev reportedly made $100 million from the gang's operations.
UK National Crime Agency announced, “The sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury's Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.”
The announcement also states that travel restrictions and asset freezes will now apply to Khoroshev, also known as LockBitSupp, who thrived on anonymity and offered a $10 million prize to anyone who could identify him. Another announcement from Europol reads that The UK Foreign, Commonwealth and Development Office, the US Department of the Treasury's Office of Foreign Assets Control (OFAC), and the Australian Department of Foreign Affairs and Trade have all imposed various asset freezes and travel bans on the Russian national who created and administered LockBit.
Due to the possibility that paying a ransom could violate the sanctions and result in fines from the government for companies, these measures will severely hinder the ransomware operation. Certain ransomware negotiators had previously refused to help with extortion payments for sanctioned ransomware operations due to similar sanctions.
Within the Rewards for Justice Program, the US additionally offers a $10 million prize for information that results in LockBitSupp's apprehension and/or conviction. In addition, law enforcement declared that they had obtained more decryption keys than they had previously disclosed through their hacking and confiscation of LockBit infrastructure.
In September 2019, the ransomware-as-a-service (RaaS) operation known as LockBit was first identified as 'ABCD,' however it subsequently changed its name to LockBit. The cybercrime operation recruited affiliates to penetrate company networks, steal data, and encrypt devices. It also established and maintained the encryptor, Tor negotiation, and data leak sites. The affiliate kept the remaining money, with the LockBit operators receiving about 20% of any ransom payments.
The highly visible operator known as LockBitSupp, who is now referred to as Khoroshev, is in charge of the operation. He frequently visited Russian-speaking hacker forums and took great pleasure in discussing his illegal enterprise with reporters and researchers. Even though LockBitSupp initially claimed to be based in China, it is not shocking to discover that he is actually a Russian national after recent disclosures.
With 194 affiliates and a continuous stream of new victims published by the gang's data breach website until February 2024, LockBit quickly emerged as the biggest and most active ransomware operation. But in February, the ransomware group experienced a significant setback when LockBit's infrastructure—which included 34 servers hosting the data leak website, its mirrors, and the affiliate panel—was taken down by a law enforcement operation dubbed "Operation Cronos". Law enforcement was also able to retrieve Bitcoin addresses, decryption keys, data that had been stolen from the victims, and a plethora of other details regarding the gang thanks to this move.
As part of Operation Cronos, law enforcement first claimed to have obtained 1,000 decryption keys; however, recent news indicates that they have obtained an additional 1,500 decryption keys. They are still offering free assistance to LockBit victims in retrieving their files. After examining the confiscated data, the UK's National Crime Agency concluded that LockBit was responsible for demanding $1 billion in ransom payments from thousands of businesses throughout the globe. Meanwhile, the DOJ claimed that Khoroshev and his associates had extracted more than $500 million in ransom.
According to law enforcement, the ransomware campaign targeted over 7,000 nations between June 2022 and February 2024, with the US, the UK, France, Germany, and China being the top five countries affected. LockBit is still active today, focusing on fresh victims and just releasing a ton of new and old information. However, according to the NCA, Operation Cronos caused a large-scale departure of affiliates, which resulted in a decline in active members from 194 to 69 as threat actors lost faith in the organization's leadership.
LockBitSupp is probably trying to vent his frustrations as the ransomware approaches its end, even though it will probably try to hit back against the US and UK authorities by disclosing additional private information that was taken from its victims. Even though the LockBit ransomware operation might cease as a result of these law enforcement operations, the same threat actors will probably carry on in the future under a different alias.