Ransomware Diaries Volume 5: Unmasking LockBit
Written by Jon DiMaggio.
WARNING: PLEASE DO NOT TRY THIS AT HOME. ENGAGING WITH RANSOMWARE CRIMINALS SHOULD ONLY BE ATTEMPTED BY TRAINED PROFESSIONALS. WHILE IT SEEMS “COOL” TO INTERACT WITH BAD GUYS, DOING SO PUTS YOU AND YOUR EMPLOYER AT GREAT RISK. PLEASE DO NOT ATTEMPT TO EMULATE WHAT YOU SEE IN THIS REPORT UNLESS YOU HAVE THE KNOWLEDGE, EXPERIENCE, AND SKILL SET TO PERFORM SUCH ACTIONS. THANK YOU!
NOTE: Before you read this volume of the Ransomware Diaries, please understand that LockBitSupp’s identity only became known earlier today. Therefore, please make your own assessment and validate my findings before using this research for real-world actions. I have been chasing LockBit for a long time and when I found out the DoJ planned to release this information, I decided to publish my research quicker than I intended. Over the past three days, I rushed to put the Ransomware Diaries Volume 5 together. For those reasons, understand this report has not gone through the normal editing and review process, and if there are any grammatical or formatting errors, we will get them corrected as soon as possible.
The Beginning of the End
On 19 February 2024, the National Crime Agency (NCA), a UK National Law Enforcement Agency, in collaboration with the FBI, Europol and 9 other countries under the operational name, “Operation Cronos” disrupted the LockBit ransomware gangʼs data leak site used to shame, extort, and leak data from its victims. We saw stage one on the day one of the takedown when the NCA greeted visitors of LockBit’s dark web leak site with the following seizure banner:
While we only saw the seizure message on day one, the NCA dealt a much more significant blow to the criminals than it first appeared. The NCA completely controlled LockBit’s infrastructure and resources to support and manage its criminal operation. More importantly, the NCA had been inside LockBit’s infrastructure for some time and watched and collected information before the disruption on February 19th.
Additionally, they acquired victim decryption keys, which allowed recent victims to decrypt their data without giving in to LockBit’s extortion demands. The NCA had even compromised and obtained LockBit’s new ransomware payload, which LockBit was staging to release as part of the LockBit 4.0 upgrade.
Stuck in Your Head
Stage two of Operation Cronos began on February 20th. The NCA directed site visitors to a new site that visually resembled LockBit’s data leak site. The site used similar colors and layout but instead of ransomware victim posts, the criminals were the victims. Over the next five days, the NCA posted indictments and sanction announcements against LockBit criminals, which were presented as “victimˮ posts on the NCA-controlled site. You can see an example of one of the posts, which detailed the names of two LockBit affiliates and linked to a press release detailing criminal indictments that the NCA staged on the new leak site:
As part of stage two, the NCA crafted personalized messages to the affiliates participating in LockBit ransomware attacks. The affiliate received their personalized message directly from the NCA when they logged into the LockBit ransomware panel used to facilitate attacks. The message informed each criminal affiliate that law enforcement collected their panel username, cryptocurrency wallet addresses, victim negotiation chat logs, IP addresses used to log into the panel, and transcripts of their conversations with the gang’s leader, LockBitSupp.
Essentially, the NCA silently stood over their shoulder, watching every move the criminals made and wanted to make sure they knew it. I can only imagine the affiliate’s surprise when they logged in expecting to see the admin panel used to attack unsuspecting victims and instead received a tailored message from law enforcement welcoming them. That certainly had a psychological impact on the criminals behind the operation and, more importantly, made them question if LockBit could still provide them with security and anonymity when using the gang’s platform. Unlike most disruption events to date, in stage two, law enforcement implemented a psychological operation (PSYOP). The goal of stage two was to diminish the trust between LockBit’s leadership and the criminals who supported the operation.
Law enforcement’s final move before taking down the seized leak site was to deanonymize LockBitSupp. Like other criminal victims of the NCA, LockBitSupp received their personalized victim post, which you can see below.
In the post, the NCA included a countdown timer. However, for some reason, which only they know, the NCA decided against releasing LockBitSupp’s identity. In the above post, you can see the NCA claims LockBitSupp chose to engage with law enforcement. I am still determining exactly what that means but the statement implies LockBit was cooperating and talking with the NCA. More importantly, they posted a cat meme on LockBitSup’s victim post.
For those who talk with LockBitSupp frequently, you know the significance of the infamous cat meme! I have spent a lot of time engaging with LockBitSupp, and I can tell you that he is very professional and rarely makes jokes or small talk. I gave him the nickname “Mr. GrumpyPantsˮ long ago and have referred to him as that in previous volumes of the Ransomware Diaries. The one thing that always threw me off was when Mr. GrumpyPants, the serious and always business-minded individual, would send me cat memes.
So when I saw the NCA’s post, I knew they actually had collected and assessed LockBit’s communication logs. The cat memes must have also struck them as out of character, which is why they understood the impact a kitty-cat sticker would illicit! While the public may not have picked up on this, those close to LockBit, like his criminal partners, certainly would. Once again, this was an example of how the NCA used psychological tactics to get inside the heads of LockBit criminals and, more importantly, the leader himself.
The NCA handled Operation Cronos using tactics beyond those typically seen in disruption operations. They did not simply take down servers. They were getting into the heads of every criminal who had ever committed a crime or collaborated with LockBit.
LockBit Strikes Back
When you are ransomware’s biggest villain, you don’t lie down and die simply because your job gets hard. When I first heard about the operation, I knew LockBit would not rebrand or simply retire despite making more money than most of us will see in a lifetime of work. While the money is important, it alone is not what drives LockBit. As strange as it sounds, LockBit honestly loves his line of work. He also has a massive ego, and retiring or returning under a new name and operation is something he would only do if he had no other choice. Even if I did not make this assessment, LockBit told us himself on an underground hacking forum a few weeks later.
This is why it was no surprise when LockBit established new infrastructure in less than a week after the take down. LockBit recreated his leak site, which looked visually the same as his previous site, except it had far fewer victims and data. In true LockBit fashion, the first victim on the new site was none other than the FBI. Of course, they were not really a victim. LockBit used the post to generate publicity that he was back and to send a message to the world explaining what happened and why he would not be compromised again. You can see part of LockBit’s explanation below.
Over the next two weeks, LockBit began posting what he claimed were new victims; however, many of them were not new, but simply recent victims whose name and data had not been posted to the leak site before the disruption. One victim in particular that caught my attention was Fulton County, which is a county located in Georgia (US). This was an odd move because Fulton was a victim posted on the leak site prior to the NCA disruption. LockBit added Fulton as a new victim to the leak site due to the high profile publicity surrounding the attack when it was first listed on the previous leak site.
In the attack, LockBit hackers crippled the county affecting many of its administrative systems. The LockBit hackers also stole sensitive data from its systems and threatened to leak it if Fulton refused to pay their extortion demands. The attack received a lot of press before the takedown, and LockBit saw it as an opportunity to generate hype and attention to his narrative that business was back to normal. However, it was not. I knew it, LockBit knew it, and the NCA knew it, but the public and the media did not. For those reasons, LockBit attempted to make a strategic move that, if successful, would provide him a big payout and make waves across US media channels.
There was one problem with this plan. The NCA claimed they seized LockBit’s servers and removed LockBit’s access to the data, which would have included Fulton County. Now, it is always possible that an affiliate had made a copy of the data, but one of LockBit’s selling points to criminals is that he provides the tools and resources to collect, store, and leak victim data. This is a major benefit to criminals because storing and moving large amounts of data across the dark web is not an easy task. Prior to this service, many ransomware criminals would store and distribute data from publicly accessible file-sharing services. The problem they found was that it was too easy for law enforcement and the service provider to terminate access, leaving criminals empty-handed.
I pointed out that LockBit was having issues leaking victim data in the Ransomware Diaries volume three, and it was a big issue for the gang. So, when I saw LockBit post Fulton County as a victim to the new site, I immediately questioned if he really had the data. As it turned out, LockBit was bluffing. He lost access to the data during the seizure and was hoping Fulton would pay up rather than take the chance of having their data leaked. As the timer winded down, LockBit removed the post in an attempt to save face and stage a narrative that Fulton paid, which they stated they did not, and there is no evidence of a sizeable cryptocurrency payment being made to known LockBit wallets over that timeframe. LockBit was bluffing, and this time, it didn’t work. Anyone paying attention saw the writing on the wall. LockBit was in trouble, and despite his attempts to convince the world that he was back, LockBit was struggling. Still, I learned long ago not to underestimate LockBit, and for those reasons, I have been closely monitoring the operation and developments since the disruption.
The Resurrection
One of the ways I stay on top of site outages and various changes to adversary infrastructure is through site monitoring. Every day, I get notifications on sites and their status. On Sunday, May 5th, I thought there was an issue with the service I use to monitor LockBit infrastructure because I got an alert that the domain “lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onionˮ had changed its status to “online”. The onion link for this domain is associated with LockBit’s previous infrastructure, which was taken down in stage one of the Cronos disruption operation. So, when I saw the alert, I immediately went to the site to see if it was actually online. I was not expecting to find the domain active. I was wrong. It was up, and it was not LockBit who brought the site back; it was another iteration of the Cronos operation. The NCA updated the victim posts on the site with new information, which you can see below.
I also noticed the entries on the posts were created on May 2nd. I still don’t know if the site was up for three days and no one noticed or if the site came online on May 5th or if May 2nd was when the NCA staged the site. However, I did I realize the significance of the update. None of the posts were populated with data. Each post simply had a message:
The most significant post was the entry titled “Who is LockBitSupp,ˮ which was the same image and teaser the NCA published earlier in February, but the countdown clock had now reset and was set to expire on May 7th. It appeared the relationship between the NCA and LockBit had soured, and law enforcement was moving forward and planning to publicly identify who was behind the LockBitSupp identity. A press release and further information on the investigations developments were also scheduled for May 7th. This was the third stage of Operation Cronos. In the past, the FBI took down infrastructure, released information, and issued indictments on the same day.
Teasing the leak of sensitive information, such as the de-anonymization of significant players in a criminal organization, only serves one purpose. To get inside the targets head. Whoever LockBiSupp is would see this and know soon the whole world would know exactly who he is. That would likely cause a lot of stress and anxiety for someone who has lived their life in the shadows. LockBitsupp has taunted the FBI specifically for years, making statements that they are too stupid to catch him. It looks like they were smarter than LockBit thought.
The Unmasking
Stage Four of Operation Cronos began on Tuesday, May 7th, 2024. The goal of stage four is to identify the criminal behind LockBit’s operation publicly. This stage is often misunderstood. You may question why the DoJ would indict a Russian criminal knowing an arrest is highly unlikely since Russia does not view cybercrimes against CIS entities as a crime. The DoJ is looking at a bigger picture. Indicting a Russian cybercriminal has several purposes. First, it is a dox. It shines a light on the person committing the crime, and in cases of high-profile criminals, it plays a role in PSYOPs that I discussed earlier.
Remember, it’s not only law enforcement that wants to see LockBit fall. Many criminals would love to take LockBit’s affiliates and move up the criminal food chain. Similar to how LockBit wanted to push out REvil. The indicted criminal will have to look over their shoulder constantly, making it harder to commit crimes when everyone is watching. It won’t stop them, but remember, the goal is to disrupt and make the criminal’s job harder. This adds to that objective and applies new concerns that the indicted criminal must face. When an indictment and sanctions are applied, it has a much more significant affect, which I will discuss later.
Next, I am going to discuss the the person behind the LockBitSupp persona. Generally, in the Ransomware Diaries, I try to uncover significant aspects from the inside perspective of the ransomware gang by either infiltrating the group using fake personas or talking to them as myself. Today, I am going to do the opposite. I will show you what I learned about the other side of the real world person named in the indictment. My focus is not to show you his crimes, as I have done that extensively in my previous research over the past two years. Instead, I want to show you the other side of who he is and share details about how Operation Cronos impacts ransomware. Now Let’s meet the real LockBitSupp!
Say My Name!
Hi Dmitry!!! Today the Department of Justice unveiled LockBitSupp. I want to introduce you to Dmitry Khoroshev, or as most of us know him, LockBitSupp!
Dmitry was born in Russia on April 17, 1993, and currently resides in the Voronezh region of Russia. He owns several legitimate businesses, also based out of Voronezh, drives a Mercedes and previously owned a Mazda 6, not a lambo as he often boasts, though he could certainly afford one. Dmitry has done an excellent job separating his real-world accounts from those he uses to commit crimes, which is one of the reasons it has taken so long to identify him.
On the legitimate side of his life, Dmitry is also a talented businessman. He has registered and built several companies and websites for organizations in Russia, which I found by searching for information associated with his name and location. Some of the information was not publicly available, so I decided to take a page from LockBit’s book and leverage PII from stolen data on the dark web to learn more about Dmitry! Ironic, right?!
Below is a diagram with all the information I found and how it all links back to Dmitry that you can use to see how I connected the dots to identify the information shared in the remainder of this report. I will not cover everything I discovered, but you will have all the information to research on your own. I also removed some personal information from the graph before making this public. LockBitsup is a criminal without ethics, but I am not, and won’t stoop to his level.
The first business I found Dmitry associated with was a company that uses the domain tkaner[.]com, an ecommerce clothing store based in Russia with no association with nefarious activity. The historical domain record can be seen below:
Domain: tkaner[.]com
“registrant_contact”: {
“full_name”: “
Dmitri Khoroshev“,
“company_name”: “Private Person”,
“mailing_address”: “Kaliningradskaya, 108, kv 61”,
“city_name”: “
Voronezh“,
“state_name”: “Voronezhskaya oblast”,
“zip_code”: “394044”,
“country_name”: “Russian Federation”,
“country_code”: “RU”, “email_address”: ” sitedev5@yandex[.]ru“,
“phone_number”: “+
7.9521020220“
Pivoting on the registrant address, “sitedev5@yandex[.]ruˮ, I found several other legitimate domains:
Looking further, I found Dmitry registered the company Tkaner, also physically located in Voronezh, as a Limited Liability Company in July 2021, two years into actively running the LockBit operation. It crossed my mind that Dmitry could use his companies for money laundering, but I did not have time to include that in the scope of my research for this report. Below is the LLC registration information linking the company to Dmitry.
Next, I looked at the phone number associated with the domain and business license, which led me to several of Dmitry’s email addresses. I refer to these as primary accounts since they are email accounts directly associated with Dmitry and not used for criminal activity.
- d.horoshev[@]gmail.com
- khoroshev1[@]icloud.com
- khoroshev.d[@]gmail.com
- horoshev[@]gmail.com
Pivoting on the addresses I found additional phone numbers associated with Dmitry, but one phone number (+7 952 102 0220) appears to be the most current and is associated with more recent accounts. Currently, this number is being used on an iPhone, and while I did not call it, though I was tempted, I believe it is his current phone number. Below are all the phone numbers, recent and previous, that I found for Dmitry.
- +7 952 102 0220 (Primary)
- +7 951 853 9388
- +7 967 341 5167
- +7 473 241 4824
I also found secondary accounts, which are addresses Dmitry created that were not easily associated with himself and were suspicious. Both came from leak data from the Russian underground hacking forum, Exploit. This does not mean they were associated with his LockBit account. They could be, but they could also be accounts captured in stolen data sold or leaked on the forum. They could even be stolen accounts he acquired but I think that is less likely since he could just have created new accounts on his own.
darkbot[@]smtp.ru
3k[@]xakep.ru (Alias: NeroWolfe)
LockBitSupp talks a lot of game about his OPSEC skills but as they say, it only takes one mistake to blow your cover. Usually, Dmitry used a VPN, but he screwed up and I caught his mistake.
In 2022, Dmitry used the address without a VPN and I was able to access his authentic IP address.
- IP Address: 80.82.46[.]194
Guess where the IP address resolved to!
In addition to the IP address location, the most recent address I found for Dmitry, as of 2021, was near the above location at Voronezh, Shishkova Street, 72/5, apartment 165, floor 7, building 165, as seen below.
I also found two of Dmitry’s VK accounts.
- https://vk[.]com/id195770363 (Deleted)
- https://vk[.]com/id622984899 (Active)
Below is the visible page from his active account. I have no clue why he would have his actual picture or even have a social media account based on his line of work. Not a smart move.
While the second VK account is deleted, I found an archived picture of a younger Dmitry from the now-deleted VK account.
As you can see, there is information out there to lead you to Dmirty, but when I began looking for LockBitSupp, I did not have a name to associate him to. However, I did have a connection to Dmitry prior to the indictment, I just did not know its significance. You see I had been passed an IOC previously, but it was a non-attributable email address that I did not spend much time looking into. The address was allegedly associated with LockBit infrastructure early into the operation. The reason I did not make the connection is because it came to me as a tip from an recently created account with no history. I get tips often in my DMs, but they don’t always go anywhere and I cant spend time on them if I am busy on other research. Luckily, I did look into the lead at the time, which is why I have information to share today. At the time, when I looked into the IOC, it did lead me to Dmitry, but not LockBit and Dmitry looked like a legitimate businessman. For these reasons, I assessed the lead as low confidence and never made the connection to LockBit infrastructure and I still haven’t.
Regardless, after today’s news, I am grateful since I would not have been able to put this together and publish as much information without it. So, whoever you are that passed me the information, thank you! When I saw the indictment, I realized I had been sitting on a gold mine. That is also why this volume of the Ransomware Diaries is written differently than previous volumes; however, I felt it was too important not to include after dedicating much of the past few years to LockBit research.
Closing
The significance of this report is the additional background information on Dmitry. Still, I dislike reporting on real-world people and have stayed away from doxxing for a long time. Since the DoJ did the real dox by releasing Dmitry’s name in today’s indictment, I decided it was worth sharing the information I had available. Nonetheless, the significant events I want you leave with is the improved tactics law enforcement used in Operation Cronos.
The combination of the disruption, PSYOPs tactics, the indictment, and the sanctions released today will have a long-lasting impact on LockBit. The combination of a federal indictment and sanctions will shine a constant light on LockBit and make it illegal for victims to pay a ransom to the LockBit criminal organization. Why would affiliates choose to work with LockBit when obtaining an extortion payment will be far more difficult? They won’t. At least not the smart ones.
On the other hand, to play devil’s advocate, LockBit’s operation has been one of the most active ransomware syndicates of all time. If victims cannot pay, two things could happen. It could destroy companies that cannot recover due to the cost and impact, but it will also destroy LockBit or at least make the group insignificant. I think this is the best move in the long term, as LockBit has been a cancer to companies worldwide for the past four years. It’s time to start doing things differently.
Finally, I want to close this out with a note to my old nemesis, LockBitSupp.
LockBitSupp, you are a smart guy. You said it’s not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend. You have always been real with me, and I want to be real with you. Take your money and go enjoy your life before you end up in a situation where you can’t. Much like REvil, you have pushed things too far. It’s time to move on. I don’t hate you; I hate what you do, and I did not enjoy putting you on blast today because we have known one another for a long time. The truth is if I didn’t do this today, someone else would. I have too much respect for you as an adversary to watch you get picked apart by some clown with an OSINT handbook, which is all it would take now that your identity is known. With our history, it needed to come from me. It’s time to move on. -Jon
