US and allies accuse Russian man of running massive ransomware gang

(CNN) — US, UK and Australian authorities on Tuesday announced sanctions and criminal charges against a 31-year-old Russian man for being the alleged mastermind of a cybercriminal group that has extorted $500 million in ransom payments from thousands of victim organizations in the US and worldwide.

Dmitry Yuryevich Khoroshev is accused of developing malicious software, recruiting hackers and overseeing operations for a crime group known as LockBit that has been described by experts as the most prolific ransomware gang in the world.

The group’s victims included hospitals, schools and law enforcement agencies, and the hackers caused “broader losses and damage of billions of dollars,” according to an indictment unsealed in the District of New Jersey. People affiliated with LockBit claimed credit for a November ransomware attack that forced New Jersey-based Capital Health to cancel some patient appointments, and for ransomware attacks on the Industrial and Commercial Bank of China and Fulton County.

Khoroshev “personally pocketed $100 million,” or a fifth of LockBit’s extortion fees, Philip Sellinger, the US attorney for the district of New Jersey, said in a statement.

Khoroshev is charged with conspiracy to commit fraud, extortion and wire fraud, among other crimes. CNN has attempted to contact him for comment.

US officials did not identify where Khoroshev is located, but the State Department is offering a $10 million reward for information leading to his arrest. Russia “continues to offer safe harbor for cybercriminals,” the Treasury Department said in a statement on Tuesday. Moscow has denied the allegation.

President Joe Biden in 2021 exhorted Russian President Vladimir Putin to crack down on ransomware gangs that were attacking US infrastructure from Russian soil. But any faint hopes of substantive cooperation between Washington and Moscow on cybercrime dimmed with Russia’s full-scale invasion of Ukraine the following year.

Despite the law enforcement crackdowns, ransomware continues to take a toll on US businesses, government agencies and schools of various sizes. A ransomware attack over the weekend on computer systems in the city of Wichita, Kansas, disrupted residents’ access to water bills online and caused departure and arrival screens at the airport to malfunction.

Khoroshev’s indictment is the latest twist in a months-long duel in which law enforcement agencies have seized computer servers used by LockBit, and the hackers have claimed to move to other infrastructure.

The FBI and UK National Crime Agency (NCA) in February said they had developed software that could let “hundreds” of victims worldwide decrypt computers locked by the hackers. The hackers have tried to downplay the damage to their operations, but the sustained efforts to disrupt LockBit appear to be having an impact.

‘Imposing cognitive fear’

The LockBit case is notable because US and European law enforcement officials are using the hackers’ psychological tactics against them in one of the more aggressive public efforts to sow distrust among cybercriminal groups.

Ransomware groups, including LockBit, use a ticking clock on the websites where they extort victims. If they aren’t paid in cryptocurrency by the time the clock runs out, the hackers leak data stolen from the victims.

In this case, the FBI, NCA and other law enforcement agencies have used LockBit’s own websites to taunt its members and set up a countdown clock promising to reveal LockBit’s ringleader.

“Imposing cognitive fear in their life was something that we really focused on,” Tim Court, a senior NCA official involved in the LockBit case, said last month at an event hosted by the Institute for Security and Technology.

“These are individuals in a criminal enterprise who are not tested,” Court said. The LockBit members, he argued, were not “ideologically motivated to withstand immense pressure. They’ve hidden behind the screen, they’re often anonymous and they’re making a lot of money.”

Court said that the operation to infiltrate LockBit’s operations lasted two years.

The NCA so thoroughly compromised the LockBit’s infrastructure that they were able to access the hackers’ latest version of ransomware that they were preparing to release, according to Jon DiMaggio, chief security strategist at cybersecurity firm Analyst1 who has closely studied LockBit.