The recent news about the United States, U.K., and Australia sanctioning and charging Russian national Dmitry Yuryevich Khoroshev as the leader of the LockBit ransomware group has stirred up controversy and confusion. Khoroshev, known as “LockBitSupp,” denies the allegations, claiming that the authorities have named the wrong person without providing clear evidence linking him to the crimes.

The U.S. Department of Justice indicted Khoroshev on 26 criminal counts, including extortion, wire fraud, and conspiracy. The government alleges that Khoroshev created, sold, and used the LockBit ransomware strain to extort over $100 million from numerous victim organizations. It is also claimed that LockBit, as a group, extorted approximately half a billion dollars over a four-year period. Khoroshev reportedly operated LockBit as a “ransomware-as-a-service” model, where he received 20% of the ransom payments while affiliates distributing the malware received the rest.

The U.S. Department of the Treasury imposed financial sanctions on Khoroshev, revealing details such as his email and street address in Voronezh, Russia, passport number, and tax ID number. Investigations by various cyber intelligence firms have uncovered Khoroshev’s involvement in registering domains and operating various online personas such as NeroWolfe and Putinkrab on cybercrime forums. These personas were linked to activities involving the sale of malicious code, including ransomware and malware.

NeroWolfe, identified by the ICQ number 669316, was active in Russian cybercrime forums, offering services related to malware development and encryption. Putinkrab, another alias used by Khoroshev, emerged in 2019 on Russian forums, selling ransomware source code written in C and collaborating with affiliates on ransomware projects. Putinkrab’s activities included the development of advanced evasion techniques to avoid detection by security tools and seeking investors for new ransomware initiatives.

The gradual transition from NeroWolfe to Putinkrab hints at Khoroshev’s evolution as a prominent figure in the ransomware industry. The threads of his online activities suggest a deep-rooted involvement in malicious operations, backed by technical expertise in data encryption and malware development. The emergence of LockBit ransomware and Khoroshev’s role as LockBitSupp underscores his presence at the forefront of the ransomware-as-a-service market.

The investigations into Khoroshev’s connections to previous ransomware strains, like Cerber, and the FBI’s recent takeover of LockBit’s infrastructure highlight the ongoing efforts to dismantle cybercriminal networks. The government’s pursuit of Khoroshev involves tracing cryptocurrency transactions and bank accounts linked to his operations, aiming to follow the money trail to identify key players in cybercrime activities.

As the saga unfolds, the intersection of cyber intelligence, law enforcement, and open-source investigations sheds light on the complex web of illicit activities orchestrated by individuals like Khoroshev. The story underscores the challenges of tracking down elusive cybercriminals and the importance of persistent investigation and collaboration to combat the evolving threat landscape in the digital realm.

Link na izvor