On May 7 2024, almost five years after it first appeared, the LockBit ransomware group finally got a human face.
His name is Dmitry Khoroshev (aka ‘LockBitSupp’), alleged by the FBI and UK National Crime Agency (NCA) to be the platform’s administrator, the powerful figure who helped direct it to attack at least 7,000 organizations between June 2022 and February 2024.
We learned that he was 31 years old, was said to live in the Russian city of Voronezh, and was worth $100 million, all earned as commission from ransomware attacks carried out using the LockBit platform.
The picture of him shared by police almost looks like a publicity shot. He stares out of the image gloatingly, presumably because he doesn’t think he’ll ever be arrested.
He’s a long way from justice but he now has a price on his head, a $10 million reward offered by the FBI for information leading to his arrest.
An inconvenience perhaps but going on vacation will also be more difficult than it was in the past thanks to a travel ban.
Khoroshev is not the first face to be associated with LockBit by the police, with five others (two of whom are in custody awaiting trial) being indicted over the last year. But revealing the identity of LockBitSupp – if that’s who Khoroshev really is – is still a moment.
“Cyber criminals think they are untouchable, hiding behind anonymous accounts as they try to extort money from their victims,” said U.K. Security Minister Tom Tugendhat at the time.
“By exposing one of the leaders of LockBit, we are sending a clear message to these callous criminals. You cannot hide. You will face justice.”
Left empty handed
The reason the authorities were so sure they had their man was thanks to the seismic compromise and takedown of the LockBit platform in February of 2024.
But perhaps as important was what police learned about how ransomware platforms operate.
- On the basis of Khoroshev’s claimed 20% commission, ransoms paid by victims for LockBit attacks reached at least $500 million, or nearly $125 million each year of its operation.
- Even when victims opened negotiations with ransomware affiliates, they often broke down – 39 of 119 who engaged with attackers appear not to have paid up.
- Another 75 involved no negotiation and no payments were made.
- More ransomware attacks were planned than ever executed.
Many affiliates also seemed to have paid a lot of money to sign up to the platform but never made a cent. Meanwhile, because so many victims didn’t pay up, ransomware attackers were constantly looking for more victims who might.
It’s rather like spam or phishing attacks. Because relatively few are successful – rates that decline over time – more attacks are needed to keep money coming in.
It’s almost as if the whole ransomware-as-a-service business model was a way to allow attacks to scale to account for these gradually diminishing returns.
And for LockBit, it was a case of the more affiliates the better, including the ones who were left as empty handed as their victims.