Feds launch hunt, offer $10 million reward for Russian ransomware mastermind

The U.S. government has launched a manhunt for a Russian fugitive with a $10 million reward on his head for running the world's largest ransomware scheme that tried to extort millions from notable targets such as Boeing and the United Kingdom's Royal Mail service.

Dmitry Yuryevich Khoroshev, 31, of Voronezh, Russia, was the leader and developer of LockBit, a mercenary ransomware group hired out for cyber hits on organizations ranging from nonprofits to hospitals to schools, according to a federal indictment unsealed this week.

“Most people would not consider being accused of creating and administering the most destructive ransomware group in the world as a badge of honor,” FBI – Newark Special Agent in Charge James E. Dennehy said. “Khoroshev, wears it like an Olympic Gold Medal."

Khoroshev's whereabouts are unknown. The Department of State announced a reward of up to $10 million for information that leads to his arrest.

Lockbit ransomware, first seen on Russian-language-based cybercrime forums in January 2020, has been detected all over the world, with organizations in the United States, India and Brazil among common targets, cybersecurity firm Trend Micro said last year.

Reuters reported last year that Lockbit hackers said they had obtained "a tremendous amount" of sensitive data from aerospace giant Boeing and would dump it online if Boeing didn't pay a massive ransom. Boeing confirmed in November that elements of the company's parts and distribution business had experienced "a cybersecurity incident," but said there was no threat to aircraft or flight safety.

LockBit also threatened at one point to publish stolen data if the Royal Mail service in the U.K. failed to pay a ransom. In an email response to Reuters, Royal Mail said evidence from its investigation suggested that the data allegedly obtained from its network did not contain any financial information or other sensitive customer information.

Khoroshev is charged with conspiracy to commit fraud, extortion and related activity in connection with computers; conspiracy to commit wire fraud; and eight counts of each intentional damage to a protected computer, extortion in relation to information unlawfully obtained from a protected computer and extortion in relation to intentional damage to a protected computer.

The Justice Department’s unmasking and indictment of the Russian national behind LockBit is the latest in federal efforts to stop the ransomware group behind attacks in almost 120 countries that extorted half a billion dollars, of which Khoroshev took 20%, according to federal prosecutors in New Jersey. Five coconspirators have been charged and two are awaiting custody.

The announcement follows an operation in February by federal officials and law enforcement agencies from the United Kingdom to disrupt to LockBit's schemes, said Nicole M. Argentieri, principal deputy assistant attorney general, in a video announcing the indictment.

The Department of Justice official called the ransomware “a menace that attacks schools, hospitals and other critical infrastructure.”

A cyber gun for hire

The ransomware, or software, Khoroshev developed allowed criminals to steal a victim’s data and hold it under the threat of publishing if the victim didn’t pay, according to the indictment.

The ransomware operates by using a number of techniques, such as hacking or stolen credentials, to access a victim’s computer, the indictment says. Then, a custom version of LockBit is used to steal documents and data. 

Afterwards, the criminals leave behind a “ransom note” with instructions on how to get in touch for negotiations and a threat to publish if the victim doesn’t, the indictment says. Criminals demanded the ransom in Bitcoin, typically.

Khoroshev began developing and marketing the ransomware under aliases including “LockBitSupp” and “putinkrab” in September 2019, according to the filing. Third parties effectively rented it to deploy on victims, but the Russian national kept watch and even participated in ransom negotiations, the indictment says.

He marketed it on dark web cybercriminal forums, paying people $1,000 to get tattoos of the LockBit logo as a form of corporate branding of sorts, and turned the cyber gun for hire “into a massive criminal organization that has, at times, ranked as the most prolific and destructive ransomware group in the world,” the indictment says.

More:Global hacking campaign: Energy Department and other agencies hit by wave of cyberattacks.

Taking down “putinkrab”

After about four years of ransomware schemes, law enforcement agencies from the U.S., United Kingdom and “around the world” left LockBit “practically inoperable” in a coordinated strike in February, according to the indictment.

U.K. authorities reviewed seized LockBit data and discovered lists of buyers, victims and documents that supposedly had been deleted after the ransom was paid, the indictment says.

Of the 2,500 victims, around 1,800 were in the U.S. with at least 55 in New Jersey, according to the filing. However, the range of victims spanned from Argentina and Kenya to Finland and China.

Among the victims noted in the lawsuit was a “multinational aeronautical and defense corporation headquartered in Virginia” that received a ransom demand of $200 million. Attacks were costly for victims to handle and caused lost revenue.

Also noted were a Florida-based medical services business; a “major” Taiwanese semiconductor manufacturer; a German automotive parts conglomerate; and, in New Jersey, law enforcement agencies in Passaic and Monmouth counties and a Somerset County school district.

After the February disruption, Khoroshev attempted to launch LockBit again. In an effort to beat out the ransomware competition, he “communicated with law enforcement and offered his services in exchange for information regarding the identity” of competitors, according to the indictment.

The Russian national is quoted saying, “give me the names of my enemies. 

More: Russian hacker charged by U.S. in ransomware attacks that raked in over $200 million.