World
U.S. Charges Russian National with Developing and Operating LockBit Ransomware
U.S. Attorney Philip R. Sellinger for the District of New Jersey’s recorded remarks
The U.S. Justice Department unsealed charges today against a Russian national for his alleged role as the creator, developer, and administrator of the LockBit ransomware group from its inception in September 2019 through the present. At times, LockBit was the most prolific ransomware group in the world.
“Earlier this year, the Justice Department and our U.K. law enforcement partners disrupted LockBit, a ransomware group responsible for attacks on victims across the United States and around the world,” said Attorney General Merrick B. Garland. “Today we are going a step further, charging the individual who we allege developed and administered this malicious cyber scheme, which has targeted over 2,000 victims and stolen more than $100 million in ransomware payments. We will continue to work closely alongside our partners, across the U.S. government and around the world to disrupt cybercrime operations like LockBit and to find and hold accountable those responsible for them.”
“As part of our unrelenting efforts to dismantle ransomware groups and protect victims, the Justice Department has brought over two dozen criminal charges against the administrator of LockBit, one of the world’s most dangerous ransomware organizations,” said Deputy Attorney General Lisa Monaco. “Working with U.S. and international partners, we are using all our tools to hold ransomware actors accountable—and we continue to encourage victims to report cyberattacks to the FBI when they happen. Reporting an attack could make all the difference in preventing the next one.”
Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев), also known as LockBitSupp, LockBit, and putinkrab, 31, of Voronezh, Russia, is charged by a 26-count indictment returned by a grand jury in the District of New Jersey.
“Today’s indictment of LockBit developer and operator Dimitry Yuryevich Khoroshev continues the FBI’s ongoing disruption of the LockBit criminal ecosystem,” said FBI Director Christopher Wray. “The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals. The charges announced today reflect the FBI’s unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable.”
The indictment against Khoroshev unsealed today follows a recent disruption of LockBit ransomware in February by the U.K. National Crime Agency’s (NCA) Cyber Division, which worked in cooperation with the Justice Department, FBI, and other international law enforcement partners. As previously announced by the Department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data. That disruption succeeded in greatly diminishing LockBit’s reputation and its ability to attack further victims, as alleged by the indictment unsealed today.
“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. “He thought he could do so hidden by his notorious moniker ‘LockBitSupp,’ anonymous and free of any consequence, while he personally pocketed $100 million extorted from Lockbit’s victims. Through relentless investigation and coordination with our partners at the Criminal Division’s Computer Crime and Intellectual Property Section, the FBI and abroad, we have proven him and his coconspirators wrong. Today’s indictment marks a significant milestone in the investigation and prosecution of LockBit, which has already led to charges against five other LockBit affiliates—two of whom are in custody awaiting trial—and a major disruption of the now discredited LockBit operation.”
In addition, as previously announced, law enforcement developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant. Victims targeted by this malware are encouraged to contact the FBI at https://lockbitvictims.ic3.gov/ to enable law enforcement to determine whether affected systems can be successfully decrypted.
According to the indictment and other documents previously unsealed in the District of New Jersey:
Khoroshev and the LockBit Ransomware Group
Khoroshev allegedly acted as the LockBit ransomware group’s developer and administrator from its inception in or around September 2019 through May 2024. Khoroshev and his affiliate coconspirators, grew LockBit into what was, at times, the most active and destructive ransomware variant in the world. The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States. LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery.
Khoroshev allegedly designed LockBit to operate in the “ransomware-as-a-service” (RaaS) model. In his role as the LockBit developer and administrator, Khoroshev arranged for the design of the LockBit ransomware code itself, recruited other LockBit members—called affiliates—to deploy it against victims, and maintained the LockBit infrastructure, including an online software dashboard called a “control panel” to provide the affiliates with the tools necessary to deploy LockBit. Khoroshev also maintained LockBit’s public-facing website—called a “data leak site”—for the publication of data stolen from victims who refused to pay a ransom.
As alleged in the indictment, Khoroshev—as the LockBit developer—typically received a 20% share of each ransom payment extorted from LockBit victims. The affiliate responsible for an attack would receive the remaining 80%. During the scheme, Khoroshev alone allegedly received at least $100 million in disbursements of digital currency through his developer shares of LockBit ransom payments.
LockBit infrastructure seized by law enforcement through the February 2024 disruption allegedly showed that Khoroshev retained copies of data stolen from LockBit victims who had paid the demanded ransom.
Khoroshev and his affiliate co-conspirators had falsely promised those victims that their stolen data would be deleted after payment. Moreover, after the February 2024 disruption, Khoroshev allegedly communicated with law enforcement and urged them to disclose the identities of his RaaS competitors—whom Khoroshev called his “enemies”—in exchange for his services.
Khoroshev is charged with one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion in relation to confidential information from a protected computer; and eight counts of extortion in relation to damage to a protected computer. In total, those charges carry a maximum penalty of 185 years in prison. Each of the 26 counts charged by the indictment also carries a maximum fine of the greatest of $250,000, pecuniary gain to the offender, or pecuniary harm to the victim.
The LockBit Investigation
With the indictment unsealed today, a total of six LockBit members have now been charged for their participation in the LockBit conspiracy:
- In February 2024, an indictment was unsealed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries.
- In June 2023, a criminal complaint was filed in the District of New Jersey charging Ruslan Magomedovich Astamirov, a Russian national, in connection with his participation in the LockBit group. Astamirov is currently in custody awaiting trial.
- In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Mikhail Matveev, also known as “Wazawaka,” “m1x,” “Boriselcin,” and “Uhodiransomwar,” with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C., Metropolitan Police Department. Matveev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program, with information accepted through the FBI tip website at tips.fbi.gov/.
- Finally, in November 2022, a criminal complaint was filed in the District of New Jersey charging Mikhail Vasiliev in connection with his participation in the LockBit ransomware group. Vasiliev, a dual Russian-Canadian national, is currently in custody in Canada awaiting extradition to the United States.
The FBI Newark Field Office is investigating the LockBit ransomware variant.
Trial Attorneys Jessica C. Peck, Debra Ireland, and Jorge Gonzalez of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorneys Andrew M. Trombly, David E. Malagold, and Vinay Limbachia for the District of New Jersey are prosecuting the charges against Khoroshev.
The Justice Department’s Cybercrime Liaison Prosecutor to Eurojust, Office of International Affairs, and National Security Division also provided significant assistance.
Additionally, the Department of the Treasury’s Office of Foreign Assets Control announced today that it is designating Khoroshev for his role in launching cyberattacks. For more information, visit https://home.treasury.gov/news/press-releases/jy2326. Authorities in the United Kingdom and Australia also announced sanctions today against Khoroshev.
The Department of State also announced today a reward of up to $10 million for information that leads to the apprehension of Khoroshev. Information that may be eligible for this award can be submitted by email at fbisupp@fbi.gov, Telegram at @LockbitRewards, Signal at @FBISupp.01, and tox B0B98577F0541160C745B464E42C9AB782B036682FAD59D5F228EA75BF71691BE68A8E08BD55. The reward announced today supplements a previous reward of up to $10 million for information leading to the identification of any individual who holds a leadership position in the criminal group behind LockBit ransomware. For more information on this reward, visit Reward for Information: LockBit Ransomware-as-a-Service.
Victims of LockBit should contact the FBI at https://lockbitvictims.ic3.gov for further information. Additional details on protecting networks against LockBit ransomware are available at StopRansomware.gov. These include Cybersecurity and Infrastructure Security Agency Advisories AA23-325A, AA23-165A, and AA23-075A.
An indictment is merely an allegation. Under U.S. law, all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.