Russian hacking group that extorted Rs 5,600 crore now under US, UK radar

The US and UK have revealed the identity of the leader of a notorious Russian hacking group that allegedly extorted money sufficient to buy six mansions like George Clooney’s Villa Oleandra or build 14 temples similar to Delhi’s Akshardham.

For Dmitry Khoroshev, they have announced a reward at par with the bounty offered for the Mumbai terror attack mastermind Hafiz Saeed: Rs 83 crore.

He is accused of running the world's largest ransomware scheme that extorted more than Rs 5600 crore from notable targets such as Boeing and the United Kingdom's Royal Mail service.

As per the US Department of Justice, Khoroshev himself received a 20 per cent cut in each ransom payment, totalling 2200 bitcoins worth Rs 1,119 crore at May 9 exchange rates in India.

UK’s Crime Agency (NCA) said the amount was received over 18 months.

The US, UK, and Australia have put sanctions against him and are now seeking forfeiture of his illicit gains.

What is LockBit?

Since 2019, LockBit has been operating as a ransomware-as-a-service model where attackers profit from ransom payments. LockBit ransomware spreads automatically within the network encrypting files, leaving ransom notes with instructions for payment.

It targets enterprises and organizations with sensitive information by disrupting their operations, demanding ransom on the dark web, and threatening to publish data if the ransom isn't paid.

LockBit then proceeds to announce about the hack on its dark web page, asking the victim to make contact through an end-to-end encrypted, open-source messaging app that provides an anonymous chat facility.

Global action against LockBit group

In February this year, the Crime Agency, the Federal Bureau of Investigation (FBI), and Europol conducted a coordinated crackdown on LockBit to disrupt its criminal syndicate. It disrupted LockBit’s multiple Onion sites on the dark web.

Following the operation, the NCA revealed that more than 7,000 attacks were built using LockBit services between June 2022 and February 2024. These attacks primarily targeted the US, UK, France, Germany and China.

The attackers targeted more than 100 hospitals and healthcare companies and at least 2,110 victims were forced into some degree of negotiation by cyber criminals, the NCA had said in a statement.

A quick comeback

LockBit’s website resurfaced on the dark web within 3 days of the international coordinated disruption campaign, uploading data related to different victims like the FBI.

After the comeback, the group claimed that the FBI was only able to access the server which was not updated due to negligence, but not the backup servers that they said were up and running all the time.

It also claimed that the operation was intended to prevent the leak of confidential documents from fultoncountyga.gov – the official site of Fulton County of US state of Georgia where former President Donald Trump is accused of election fraud.

On May 5, the website of LockBit’s dark website showed it was again seized by law enforcement agencies. “We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :),” the page read.

However, a LockBit administrative staff told a malware librarian who goes by ‘VX-Underground’ that law enforcement was lying. “I don’t understand why they’re putting on this little show. They’re clearly upset, we continue to work,” the staff reportedly said.

In February 2024, Russian nationals Artur Sungatov and Ivan Kondratyev were charged in the District of New Jersey for deploying LockBit against numerous US victims, particularly targeting businesses in manufacturing and other industries.

In the past, LockBit has claimed access to data of some Indian companies such as Polycab India.