When the FBI took down ransomware gang LockBit’s site in February, its leader, who goes by the imaginatively-titled pseudonym LockbitSupp, didn’t appear to care much.
In a statement, he claimed to be “too busy relaxing on a yacht” with the riches he’d accumulated to notice the weakness in the organisation’s security. Shortly afterwards, however, the site was back up, and business went on as usual.
So when the UK’s National Crime Agency and the FBI published what they claimed was his identity last week, many in the cyber security industry took great delight.
With his face and name, Dmitry Khoroshev, uncovered, the Russian national received sanctions and travel bans from the UK, US, and Australia.
Malware research collective vx-underground, which regularly posts updates of its findings on social media platform X, claims that the unmasked leader didn’t have a yacht, lived in an average apartment, and struggled to launder his money – casting doubt on the leader’s claims of his carefree, multi-million dollar playboy existence.
LockBit is a Ransomware-as-a-service firm that provides its toolkit to a global network of affiliates that hack into businesses, take their data, and demand money (usually crypto) in return.
With this, the gang has made over $120 million in ransom payments, according to the US Department of Justice, and has targeted over 2,000 victims.
The Royal Mail, the Ministry of Defence, the National Health Service, and aerospace firm Boeing have been the targets of LockBit’s high-profile attacks.
However, LockbitSupp has rejected claims that he is the unmasked man. “The FBI is bluffing; I’m not Dmitry; I feel sorry for the real Dmitry,” a status read on the messaging service Tox from LockbitSupp.
LockBit as an organisation also wrote a post, as revealed by malware repository site vx-underground, offering $1,000 to anyone who can contact Dmitry Khoroshev “to see if he is alive and well.”
Is there any legitimacy in his denial? Have the FBI and NCA really been successful in uncovering who Lockbitsupp is after the person in question has operated under anonymity for so long?
For more clarity on the subject, TI asked ransomware expert and co-founder of Red Goat Cyber Security whether international law enforcement has uncovered the right person.
Forte first joined security by gathering intelligence on pirates off the coast of Somalia to defend cargo ships before joining the UK police’s counter-terrorism unit.
Forte maintains that it’s impossible to ascertain from her perspective whether the correct identity and image have been revealed.
“There are a lot of situations where things that ransomware groups have said are true and a lot of situations where they have lied,” she adds.
“From our perspective, we know by his own admission that LockBit became complacent in their security, so it may have been inevitable that we would find out who he is.”
However, Forte adds that it’s possible that the details of Khoroshev may be a stand-in to deflect from the real identity of LockBit’s leader.
“We’ve seen this with hacktivist groups such as Anonymous,” she explains. “It’s the internet, so it’s one of these really difficult situations where we don’t really know.”
Other odd characteristics of the identified man include a recently created LinkedIn account.
“That seems to me like the perfect scapegoat and something to send the investigation down a rabbit hole,” says Forte. “Why has he got a LinkedIn account? It doesn’t make sense.”
According to Forte, we can be more certain that the man identified as LockbitSupp is likely connected to the ransomware group in some way.
“Something would have had to lead them to him. It could be someone in his network, or the leader ‘LockbitSupp’ could be many people; we’re assuming it’s one person,” she adds.
The security groups were reluctant to reveal their methods and did not publish how they found Khoroshev, which also makes it difficult to validate the persona externally.
Forte adds that ransomware gangs will undoubtedly feel the aftershock of the revelation, and time and money will need to be spent upping their security, taking attention away from criminal activities.
According to the NCA, since its take down of the site in February, LockBit attacks have reduced by almost three-quarters in the UK, with other countries also reporting reductions.
Even though many in the cyber security industry and governing bodies ask businesses not to pay the ransom, which funds the crime, many still do.
According to cyber security firm Veeam, 80% of organisations worldwide that experienced a ransomware attack between 2022 and 2023 chose to pay the demand, and almost 80% of them received their data back in return.
“Businesses have these relationships with the ransomware groups, and by and large, we haven’t seen them dump data when they’ve been paid,” Forte maintains.
Still, double extortion is believed to be a common tactic, according to another cyber security firm, Cybereason.
Cybereason’s study found that almost 80% of companies that paid ransom went on to suffer a second attack, with over a third attacked by the same threat actor.
However, while it’s a criminal organisation, LockBit runs a tight ship and likes to think it has standards: there are reports that it has its own HR team which manages holiday requests, formal sick leave, and other benefits.
Other criminal gangs, such as DarkSide, have even offered their victims security reports on ransom payments to reveal how they got into their networks, their vulnerabilities and where they should have patched.
According to Forte, even though they are under the radar of law enforcement, hackers do not necessarily fear jail.
“And the reality is, LockbitSupp has still not been arrested,” she states. “Until this person is actually found and charged, it could be anyone.”
If Khoroshev attempts to fly to any of the countries he is banned from, he will be arrested on the spot, but in Russia, he remains free.
This is a major issue in taking down ransomware groups, alongside a lack of visibility on the cryptocurrency blockchain in which ransom is paid.
Navigating the line between crypto surveillance and privacy protection
However, while LockBit has long been linked to Russia, the expose from the FBI revealed many Anglo-Saxon names: “That’s indicating that there are people doing things on our doorstep, and not necessarily Russian,” Forte adds.
Nevertheless, the security expert believes it may take just a couple of weeks to get everything back on track.
“But you’ve got to keep doing it. You’ve got to keep disrupting these gangs and hope that eventually, it will become too problematic; every win’s a win.”
Subscribe to our Editor's weekly newsletter
Share
