The Alleged LockBit Ransomware Mastermind Has Been Identified

The Alleged LockBit Ransomware Mastermind Has Been Identified

“He didn’t merely take cash for himself, however he reinvested it into growing his operation and making it extra fascinating to criminals,” DiMaggio says. All through the lifecycle of the LockBit group, two main updates and releases of its malware occurred, with every extra succesful and simpler to make use of than the final. Evaluation from the legislation enforcement operation by safety firm Pattern Micro exhibits it was engaged on a brand new model too.

DiMaggio says the individual he was talking to privately utilizing the LockBitSupp moniker was “conceited” however “all enterprise and really critical”—apart from sending cat stickers as a part of chats. Publicly, on Russian language cybercrime boards the place hackers commerce information and talk about hacking politics and information, LockBitSupp was fully totally different, DiMaggio says.

“The persona he amplified on the Russian hacking boards was a mixture of a supervillain and Tony Montana from Scarface,” DiMaggio says. “He flaunted his success and cash, and it rubbed individuals the fallacious method at occasions.”

Along with setting a bounty on their very own identification, LockBitSupp’s extra progressive and erratic aspect additionally organized an essay-writing competitors on the hacking boards, provided a “bug bounty” if individuals discovered flaws in LockBit’s code, and stated they might pay $1,000 to anybody who obtained the LockBit emblem as a tattoo. Round 20 individuals posted footage and movies of their tattoos.

Quickly after legislation enforcement claimed to have revealed LockBitSupp’s identification, DiMaggio revealed new analysis about Khoroshev. Utilizing a tip he obtained, plus open supply intelligence and leaked info on the darkish net, DiMaggio discovered social media profiles and additional private info believed to be linked to the Russian nationwide.

“He owns a number of official companies, additionally primarily based out of Voronezh, drives a Mercedes, and beforehand owned a Mazda 6, not a lambo as he usually boasts,” DiMaggio writes within the analysis. One of many e mail addresses included within the sanctions has hyperlinks to a Russia-based e-commerce enterprise registered within the identify of Khoroshev, he writes. A number of different emails and cellphone numbers had been linked to those particulars, DiMaggio’s analysis says.

LockBitSupp was banned from two distinguished Russian-language cybercrime boards in January after a criticism was made about their habits. “They’ve made companions, supporters, haters, and followers over time,” says Victoria Kivilevich, director of menace analysis at safety agency KELA.

Evaluation of cybercrime boards by Kivilevich exhibits the Russian-language ecosystems had blended responses, together with shock when LockBit was first compromised by legislation enforcement. “Customers gloating that LockBit lastly failed and obtained what he deserved, making references to his statements the place he bragged how [about how] LockBit ‘RaaS’ is safe and higher than some other operations,” Kivilevich says.

Different discussion board customers questioned the technical selections of LockBitSupp and whether or not they had collaborated with legislation enforcement, the researcher says. There have been discussion board customers who reacted neutrally, “largely saying the operation received’t have an effect on LockBit a lot and the operation will live on,” Kivilevich says.


After Operation Cronos took LockBit offline in February, it took LockBitSupp solely 5 days to create duplicate variations of the group’s leak web site. The web site then began to be full of obvious victims; it appeared just like the LockBit group hadn’t been impacted by having all of its inside secrets and techniques accessed by police world wide.

These just lately posted victims aren’t what they appear, although, a number of consultants say. “The precise legislation enforcement intervention has been vital,” says Matt Hull, the worldwide head of menace intelligence at cybersecurity agency NCC Group. The NCA says the variety of LockBit associates has dropped to 69 since its February takedown, whereas the DOJ indictment says LockBit’s sufferer rely has “vastly diminished” since then.

We use cookies to enable site functionality and collect data about user interactions. By clicking Accept, you agree to our use for advertising, analytics, and support.