{ "id": "7e615438-f25a-4766-b401-a33984699988", "created_at": "2026-04-06T00:15:36.008705Z", "updated_at": "2026-04-10T03:24:39.855952Z", "deleted_at": null, "sha1_hash": "8c71a43d64673bebcad5d853131a82a35ecb3123", "title": "U.S. Charges Russian Man as Boss of LockBit Ransomware Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 741683, "plain_text": "U.S. Charges Russian Man as Boss of LockBit Ransomware Group\r\nPublished: 2024-05-07 · Archived: 2026-04-05 13:44:33 UTC\r\nThe United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national\r\nDmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S.\r\nDepartment of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000\r\nvictims and extort at least $100 million in ransomware payments.\r\nImage: U.K. National Crime Agency.\r\nKhoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in a 26-count indictment\r\nby a grand jury in New Jersey.\r\n“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and\r\ngroup in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to\r\nthousands of victims around the globe,” U.S. Attorney Philip R. Sellinger said in a statement released by the\r\nJustice Department.\r\nThe indictment alleges Khoroshev acted as the LockBit ransomware group’s developer and administrator from its\r\ninception in September 2019 through May 2024, and that he typically received a 20 percent share of each ransom\r\nhttps://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/\r\nPage 1 of 4\n\npayment extorted from LockBit victims.\r\nThe government says LockBit victims included individuals, small businesses, multinational corporations,\r\nhospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.\r\n“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and\r\ncaused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ said.\r\n“The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800\r\nvictims in the United States.”\r\nThe unmasking of LockBitSupp comes nearly three months after U.S. and U.K. authorities seized the darknet\r\nwebsites run by LockBit, retrofitting it with press releases about the law enforcement action and free tools to help\r\nLockBit victims decrypt infected systems.\r\nThe feds used the existing design on LockBit’s victim shaming website to feature press releases and free\r\ndecryption tools.\r\nOne of the blog captions that authorities left on the seized site was a teaser page that read, “Who is\r\nLockbitSupp?,” which promised to reveal the true identity of the ransomware group leader. That item featured a\r\ncountdown clock until the big reveal, but when the site’s timer expired no such details were offered.\r\nFollowing the FBI’s raid, LockBitSupp took to Russian cybercrime forums to assure his partners and affiliates that\r\nthe ransomware operation was still fully operational. LockBitSupp also raised another set of darknet websites that\r\nsoon promised to release data stolen from a number of LockBit victims ransomed prior to the FBI raid.\r\nhttps://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/\r\nPage 2 of 4\n\nOne of the victims LockBitSupp continued extorting was Fulton County, Ga. Following the FBI raid, LockbitSupp\r\nvowed to release sensitive documents stolen from the county court system unless paid a ransom demand before\r\nLockBit’s countdown timer expired. But when Fulton County officials refused to pay and the timer expired, no\r\nstolen records were ever published. Experts said it was likely the FBI had in fact seized all of LockBit’s stolen\r\ndata.\r\nLockBitSupp also bragged that their real identity would never be revealed, and at one point offered to pay $10\r\nmillion to anyone who could discover their real name.\r\nKrebsOnSecurity has been in intermittent contact with LockBitSupp for several months over the course of\r\nreporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware\r\ngroup leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong\r\nguy.\r\n“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me\r\nwith this poor guy.\r\n“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this\r\npoor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”\r\nLockBitSupp, who now has a $10 million bounty for his arrest from the U.S. Department of State, has been\r\nknown to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims\r\n— requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a\r\npromise to delete data stolen from its victims.\r\nBut Justice Department officials say LockBit never deleted its victim data, regardless of whether those\r\norganizations paid a ransom to keep the information from being published on LockBit’s victim shaming website.\r\nKhoroshev is the sixth person officially indicted as active members of LockBit. The government says Russian\r\nnational Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and\r\nother companies throughout the United States.\r\nIvan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United\r\nStates, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising\r\nfrom his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim\r\ninformation, and extort a ransom payment from a corporate victim based in Alameda County, California.\r\nIn May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka”\r\nMatveev and Mikhail Vasiliev. In January 2022, KrebsOnSecurity published Who is the Network Access Broker\r\n‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.\r\nMatveev remains at large, presumably still in Russia. Meanwhile, the U.S. Department of State has a standing $10\r\nmillion reward offer for information leading to Matveev’s arrest.\r\nhttps://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/\r\nPage 3 of 4\n\nVasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the\r\ncomplaint against Vasiliev is at this PDF).\r\nIn June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his\r\nparticipation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan,\r\nFrance, and Kenya. Astamirov is currently in custody in the United States awaiting trial.\r\nThe Justice Department is urging victims targeted by LockBit to contact the FBI at https://lockbitvictims.ic3.gov/\r\nto file an official complaint, and to determine whether affected systems can be successfully decrypted.\r\nSource: https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/\r\nhttps://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/" ], "report_names": [ "u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434536, "ts_updated_at": 1775791479, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c71a43d64673bebcad5d853131a82a35ecb3123.pdf", "text": "https://archive.orkl.eu/8c71a43d64673bebcad5d853131a82a35ecb3123.txt", "img": "https://archive.orkl.eu/8c71a43d64673bebcad5d853131a82a35ecb3123.jpg" } }