As promised, the Operation Cronos Task Force has released more information on LockBit’s seized leak site, revealing more details on the ransomware group’s operations and the identity of its main administrator and developer.
The task force identified 31-year-old Russian national Dmitry Yuryevich Khoroshev, known online as ‘LockBitSupp,’ as the mastermind behind LockBit. Khoroshev now faces several indictments and sanctions from various countries in addition to being subject to asset freezes and travel bans.
Alongside Khoroshev, five other LockBit actors were also indicted by the U.S. government, including one who was already sentenced to four years in prison and another who is in custody awaiting trial.
Image 1: Reward poster for LockBit mastermind Dmitry Khoroshev
Identify, measure, and reduce your risk with a personalized attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
In addition to the indictments and sanctions, the task force revealed that its seizure of LockBit infrastructure allowed it to obtain more decryption keys than previously indicated, potentially allowing previous victims to restore their systems without paying a ransom.
The task force also revealed a word cloud of surnames it believes LockBit assigned to its affiliates which it is still working to identify and bring to justice.
Source: Bleeping Computer
Analysis
While the sanctions, travel bans, and asset freezes may impact Khoroshev’s life and LockBit’s operations, his indictment is largely symbolic as it’s unlikely the U.S. will be able to extradite him from Russia. However, the indictment largely confines Khoroshev within Russia’s borders, as he could risk arrest should he travel to any country with which the U.S. has extradition treaties.
The Operation Cronos Task Force is likely trolling Khoroshev by specifically offering a $10,000,000 reward for information leading to his arrest or conviction, as Khoroshev himself offered the same amount to anyone who could reveal his identity.
It will be interesting to see just how much impact Operation Cronos’s latest actions have on LockBit’s ability to carry out its operations. LockBit’s victims are now less likely to pay a ransom as doing so could be considered a sanction violation, potentially subjecting the victim to fines.
A possible, and common, move used by ransomware groups who have found themselves in a similar situation is to regroup, retool, and recommence operations under a different name that isn’t subject to sanctions.
Mitigation
While defending against ransomware attacks may seem intimidating initially, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Back up your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack, and thus can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance help protect against or eliminate known cybersecurity vulnerabilities in IT systems and is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Tools like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
Related Articles