United States Sanctions Senior Leader of the LockBit Ransomware Group

The United States reveals the identity of and imposes sanctions on Dmitry Khoroshev, a senior leader of the LockBit ransomware group 

WASHINGTON — Today, the United States designated Dmitry Yuryevich Khoroshev, a Russian national and a leader of the Russia-based LockBit group, for his role in developing and distributing LockBit ransomware. This designation is the result of a collaborative effort with the U.S. Department of Justice, Federal Bureau of Investigation, the United Kingdom’s National Crime Agency, the Australian Federal Police, and other international partners. Concurrently, the Department of Justice is unsealing an indictment and the Department of State is announcing a reward offer for information leading to the arrest and/or conviction of Khoroshev. The United Kingdom and Australia are also announcing the designation of Khoroshev. 

“Today’s action reaffirms our commitment to dismantling the ransomware ecosystem and exposing those who seek to conduct these attacks against the United States, our critical infrastructure, and our citizens,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States, in close coordination with our British and Australian partners, will continue to hold accountable the individuals responsible for these disruptive and threatening activities.”

This designation follows several other recent U.S. Government actions against Russian cybercriminals involved in ransomware, including the disruption of the LockBit ransomware infrastructure and sanctions against LockBit group affiliates. Russia, where groups such as LockBit are free to launch ransomware attacks against the United States, and its allies and partners, continues to offer safe harbor for cybercriminals. The United States has previously stressed that Russia must take concrete steps to prevent cyber criminals from freely operating in its jurisdiction. Today’s actions reflect the commitment of the United States to a long-term, coordinated, and sustained approach to disrupt and degrade the ransomware ecosystem.

Additionally, the U.S. Department of State (State) announced a reward of up to $10 million for information leading to Russian national Dmitry Yuryevich Khoroshev’s arrest and/or conviction for participating in, conspiring to participate in or attempting to participate in, transnational organized crime. On February 20, 2024, the Department of State announced reward offers (up to $10 million) seeking information leading to the identity and location of key leaders of the LockBit ransomware variant group as well as information leading to the arrests and/or convictions of members of the LockBit ransomware variant group (up to $5 million).   

LockBit: ONE OF the most prolific ransomware groupS in the world

The Russia-based LockBit ransomware group is one of the most active ransomware groups in the world and is best known for its ransomware variant of the same name. According to the Department of Justice, LockBit has targeted over 2,500 victims worldwide and is alleged to have received more than $500 million in ransom payments. Since January 2020, affiliates using LockBit have attacked organizations across an array of critical infrastructure sectors, including financial services, education, emergency services, and healthcare. 

LockBit operates on a Ransomware-as-a-Service model, where the group licenses its ransomware software to affiliated cybercriminals in exchange for payment, including a percentage of the paid ransoms. A Ransomware-as-a-Service cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of ransomware in exchange for upfront payment, subscription fees, a portion of profits, or a combination of upfront payment, subscription fees, and a portion of profits. Additionally, LockBit is known for its double extortion tactics, where its cybercriminals exfiltrate large amounts of data from its victims before encrypting the victim’s computer systems and demanding ransom payments.

cybercriminal responsible for the lockbit ransomware variant Exposed 

Dmitry Yuryevich Khoroshev (Khoroshev), a Russian national and a leader of LockBit, is the primary operator of the well-known and public-facing LockBit-related cybercrime moniker, “LockBitSupp.” As a core LockBit group leader and developer of the LockBit ransomware, Khoroshev has performed a variety of operational and administrative roles for the cybercrime group, and has benefited financially from the LockBit ransomware attacks. In addition, Khoroshev has facilitated the upgrading of the LockBit infrastructure, recruited new developers for the ransomware, and managed LockBit affiliates. He is also responsible for LockBit’s efforts to continue operations after their disruption by the U.S. and its allies earlier this year.

OFAC is designating Khoroshev pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities described in subsection (a)(ii)(D) of section 1 of E.O. 13694, as amended.

SANCTIONS IMPLICATIONS 

As a result of today’s action, all property and interests in property of this individual that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked persons. In addition, persons that engage in certain transactions with the individual designated today may themselves be exposed to designation. 

The power and integrity of OFAC sanctions derive not only from its ability to designate and add persons to the Specially Designated Nationals and Blocked Persons (SDN) List but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information on the process to submit a request for removal from an OFAC sanctions list, please click here.

See OFAC’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments  for information on the actions that OFAC would consider to be mitigating factors in any related enforcement action involving ransomware payments with a potential sanctions nexus. As laid out in the advisory, OFAC strongly encourages all ransomware victims to contact relevant government agencies, including the Federal Bureau of Investigation, to report a ransomware attack. For information on complying with sanctions applicable to virtual currency, see OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry. 

Further, the Cybersecurity & Infrastructure Security Agency in conjunction with other U.S. Departments and Agencies and foreign partners published two cybersecurity advisories, “Understanding Ransomware Threat Actors: LockBit” and “LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability.” These advisories detail the threats posed by this group and provide recommendations to reduce the likelihood and impact of future ransomware incidents.

For more information on the individuals designated today, click here.

###

Official news published at https://home.treasury.gov/news/press-releases/jy2326

Global Media Coverage