UK and allies sanction prolific cyber hacker

The UK, US and Australia have today (Tuesday 7 May) sanctioned a senior Russia-based leader of LockBit, once one of the world's most pernicious cybercrime gangs. 

Today's sanctions target Russian national Dmitry Khoroshev who has been identified, as part of an ongoing international law enforcement investigation, as one of the leaders of LockBit, the ransomware group responsible for extorting over $1 billion from thousands of victims globally. 

In February the NCA announced that it had infiltrated the group's network and taken control of its services, compromising the entire criminal enterprise. The group has attempted to rebuild over the last two months, however the NCA assesses that as a result of this investigation, they are currently running at limited capacity and the global threat from LockBit has significantly reduced. 

The gang was responsible for 25% of ransomware attacks globally last year, targeting thousands of victims over the years including over 200 UK businesses. LockBit orchestrated a malicious online campaign, illegally stealing and using sensitive data to extract billions of dollars from business and individuals.   

Today's measures will directly target a senior leader of the gang responsible for these atrocious attacks. Khoroshev will now be subject to a series of asset freezes and travel bans.   

Sanctions Minister, Anne-Marie Trevelyan said: 

Together with our allies we will continue to crack down on hostile cyber activity which is destroying livelihoods and businesses across the world. 

In sanctioning one of the leaders of LockBit we are taking direct action against those who continue to threaten global security, while simultaneously exposing the malicious cyber-criminal activity emanating from Russia.” 

National Crime Agency Director General Graeme Biggar said: 

These sanctions are an important moment in our fight against cyber criminals behind the LockBit ransomware group, which is now on its knees following our disruption earlier this year. 

They have caused untold damage to schools, hospitals and major companies across the world, who've had to pick up the pieces following devastating cyber attacks. 

Dmitry Khoroshev thought he was beyond reproach, even offering $10m to anyone who could reveal his identity, but these actions dispel that myth. Our investigation into LockBit and its affiliates continues and, working with our international partners, we'll do everything we can to undermine their operations and protect the public.” 

Eleanor Fairford, National Cyber Security Centre (NCSC) Deputy Director for Incident Management, said: 

Ransomware attacks pose a massive threat to UK businesses and their impacts can be severe and long-lasting, disrupting operations and putting potentially sensitive data at risk. 

It is crucial organisations ensure they have strong online defences to reduce their risk of falling victim and to protect the information they are responsible for. 

Prevention is the most effective mitigation, and we urge all organisations to follow the NCSC's ⁠ransomware guidance to help protect their networks and improve their resilience to attacks.” 

The UK has sanctioned Khoroshev as part of our wider commitment to cracking down on malicious cyber activity and working with our international partners to promote international security and stability in cyberspace.  

These sanctions have been delivered jointly with Australia and the US and are the latest in our efforts to counter malicious cyber-criminal activity emanating from Russia that seek to undermine the integrity, prosperity and security of the UK and our allies.  

Background

• The NCSC and the NCA assess that LockBit was the leading ransomware threat to the UK and globally since the demise of the Conti ransomware strain in mid 2022. The strain first emerged at the end of 2019 and by 2022 was the most frequently used variant across the world. 
• LockBit caused significant disruption to many UK organisations and services, having severe short to medium term impact on prominent services within the private sector. The organised crime group responsible for LockBit, as well as the affiliates using the malware represented a significant threat to victims' data due to their tactic of stealing data and publishing it on its darkweb data leaks site (DLS). 
• According to industry sources, LockBit have leaked data from more victims on their DLS than any other ransomware group since records began, with more than 2000 victims worldwide listed.