On May 7, 2024, the United States unsealed an indictment against Dmitry Yuryevich Khoroshev, one of the leaders of the Russian-based ransomware group LockBit, for his alleged involvement in developing and distributing the LockBit ransomware. According to the indictment, Khoroshev performed both administrative and operational roles for the cybercrime group, including upgrading the LockBit infrastructure, managing LockBit affiliates, and recruiting new developers for the ransomware. Since emerging in 2020, LockBit has become one of the most prolific ransomware groups in the world, targeting over 2,500 victims worldwide and allegedly receiving more than $500 million in ransom payments, according to Department of Justice statistics. The group licenses its ransomware software of the same name to affiliate cybercriminal groups, which use the software to encrypt and steal data from victims’ systems. LockBit itself provides support and receives a portion of any ransom payment typically made in exchange for system decryption and promises to delete the stolen data.
The State Department offered a reward of up to $10 million for any information leading to the arrest of Khoroshev, who resides in Russia and remains at large. In addition, the Office of Foreign Assets Control (OFAC) added Khoroshev to its Specially Designated Nationals and Blocked Persons list (“SDN List”).
These actions may be indicative of a continued shift in DOJ’s cybercrime strategy to favor disruption over arrest and prosecution. Historically, the Justice Department has indicted Russian cybercriminals under seal and waited for the criminals to travel to a friendly country from which they could be extradited. So-called “name & shame” indictments are more commonly used against state-sponsored hackers and intelligence agents, who are far less likely to travel to the West than cybercriminals.
Companies that may be the victims of ransomware should take note of this case for two reasons. First, the addition of a ransomware leader to the SDN list makes any ransom payment more perilous. Companies considering paying a ransom will have to do increased due diligence to ensure that the payment is not going to Khoroshev—a difficult task when dealing with opaque and dishonest cybercriminals. Second, companies considering a ransom payment should note that the Khoroshev indictment alleges that copies of stolen data were found in Khoroshev’s seized infrastructure, despite promises Lockbit allegedly made to victim companies that their data would be deleted after ransoms were paid.
