Advancing UK Aerospace, Defence, Security & Space Solutions Worldwide

Security

LockBit leader unmasked and sanctioned

A leader of what was once the world’s most harmful cyber crime group has been unmasked and sanctioned by the UK, US and Australia, following a National Crime Agency-led international disruption campaign.

Image courtesy NCA

The sanctions against Russian national Dmitry Khoroshev (above), the administrator and developer of the LockBit ransomware group, were announced earlier this month by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.

Advertisement
Gulfstream RT

Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.

US partners have also unsealed an indictment against him and are offering a reward of up to $10m for information leading to his arrest and/or conviction.

The actions targeting Khoroshev form part of an extensive and ongoing investigation into the LockBit group by the NCA, FBI, and international partners who form the Operation Cronos taskforce.

LockBit provided ransomware-as-a-service (RaaS) to a global network of hackers or ‘affiliates’, supplying them with the tools and infrastructure to carry out attacks.

In February the NCA announced that it had infiltrated the group’s network and taken control of its services, including its leak site on the dark web, which compromised the entire criminal enterprise.

The true impact of LockBit’s criminality was previously unknown, but data obtained from their systems showed that between June 2022 and February 2024, more than 7,000 attacks were built using their services. The top five countries hit were the US, UK, France, Germany and China.

Above: the NCA took control of the group's services including its leak site on the dark web.
Image courtesy NCA

Attacks targeted over 100 hospitals and healthcare companies and at least 2,110 victims were forced into in some degree of negotiation by cyber criminals.

The group has attempted to rebuild over the last two months, however the NCA assesses that as a result of this investigation, they are currently running at limited capacity and the global threat from LockBit has significantly reduced.

LockBit have created a new leak site on which they have inflated apparent activity by publishing  victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains.

Data shows that the average number of monthly LockBit attacks has reduced by 73% in the UK since February’s action, with other countries also reporting reductions. Attacks appear to have been carried out by less sophisticated affiliates with lower levels of impact.

As well as uncovering the real-world identity of LockBitSupp, the Operation Cronos investigation has given the NCA and partners a deep insight into LockBit’s operations and network.

Of the 194 affiliates identified as using LockBit’s services up until February 2024:

  • 148 built attacks.
  • 119 engaged in negotiations with victims, meaning they definitely deployed attacks.
  • Of the 119 who began negotiations, there are 39 who appear not to have ever received a ransom payment.
  • 75 did not engage in any negotiation, so also appear not to have received any ransom payments.

This means up to 114 affiliates paid thousands to join the LockBit programme and caused unknown levels of damage, meaning they will targeted by law enforcement, but never made any money from their criminality.

Advertisement
ODU RT

Active affiliate numbers have also significantly reduced, to 69, since February.

The NCA uncovered numerous examples of attacks where the decryptor provided by LockBit to victims who had paid ransoms failed to work, and where they received no support from affiliates or LockBit, further highlighting their untrustworthiness.

In one affiliate attack against a children’s hospital in December 2022, LockBitSupp issued an apologetic statement on their leak site and confirmed it had provided the decryptor to the victim for free.

It said the attacker had “violated our rules”, had been blocked and was no longer in their affiliate programme. In fact, they remained an active LockBit affiliate up until the February 2024 disruption, with NCA analysis showing they went on to build 127 unique attacks, engage in 50 negotiations with victims and received multiple ransom payments.

Finally, as was established by investigators, LockBit did not routinely delete stolen data once a ransom was paid.

NCA Director General Graeme Biggar said: “These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong.

“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community. The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.

“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues. We are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world.

“Working with our international partners, we will use all the tools at our disposal to target other groups like LockBit, expose their leadership and undermine their operations to protect the public.”

Sanctions Minister, Anne-Marie Trevelyan said: “Together with our allies we will continue to crack down on hostile cyber activity which is destroying livelihoods and businesses across the world.

“In sanctioning one of the leaders of LockBit we are taking direct action against those who continue to threaten global security, while simultaneously exposing the malicious cyber-criminal activity emanating from Russia.”

Security Minister Tom Tugendhat said: “Cyber criminals think they are untouchable, hiding behind anonymous accounts as they try to extort money from their victims.

“By exposing one of the leaders of LockBit, we are sending a clear message to these callous criminals. You cannot hide. You will face justice.”

The NCA and international partners are now in possession of over 2,500 decryption keys and are continuing to contact LockBit victims to offer support. The Agency has so far proactively reached out to nearly 240 LockBit victims in the UK.

Public reporting is absolutely vital in supporting global law enforcement to tackle ransomware effectively. If you are in the UK, you should use the Government’s Cyber Incident Signposting Site as soon as possible, for direction on which agencies to report your incident to.

The Operation Cronos taskforce includes the NCA, the South West Regional Organised Crime Unit (SWROCU), and Metropolitan Police Service in the UK; FBI and the Department of Justice in the US; Europol, Eurojust, and law enforcement partners in France (Gendarmerie), Germany (LKA and BKA), Switzerland (Fedpol and Zurich Cantonal Police), Japan (National Police Agency), Australia (Australian Federal Police), Sweden (Swedish Police Authority), Canada (RCMP), and the Netherlands (National Police - Politie).

This operation was also supported by the National Bureau of Investigation in Finland.

Advertisement
PTC PTC
QinetiQ US achieves DoD

Security

QinetiQ US achieves DoD's CMMC Level 2 Cybersecurity Certification

16 July 2025

Advanced certification has positioned QinetiQ US among early achievers in a select group of companies meeting the US Department of Defense's enhanced cybersecurity standards, having earned Level 2 certification under the DoD Cybersecurity Maturity Model Certification (CMMC) programme with zero findings.

SkyShark takes flight

Defence Security

SkyShark takes flight

16 July 2025

MGI Engineering, a company forged in the fast-paced world of Formula 1, has officially unveiled SkyShark, a next-generation military drone platform designed to transform battlefield operations with speed, precision and UK-built sovereignty.

Chief Superintendent Fiona Gaffney joins NPAS as COO

Security

Chief Superintendent Fiona Gaffney joins NPAS as COO

15 July 2025

The National Police Air Service (NPAS) has welcomed Chief Superintendent Fiona Gaffney as its new Chief Operating Officer (COO), following the retirement of Chief Superintendent Vicki White after 30 years of service to policing.

Lane Electronics to showcase connectivity solutions at DSEI 2025

Defence Security Events

Lane Electronics to showcase connectivity solutions at DSEI 2025

15 July 2025

Franchised distributor of electrical, electronic and optical connectors, Lane Electronics, will be exhibiting at DSEI 2025 (9th–12th September 2025, Excel London) will have the opportunity to explore the company’s latest connector technologies and its UK-based assembly and services.

Advertisement
Teledyne
UK and France agree scheme to address illegal Channel crossings

Security

UK and France agree scheme to address illegal Channel crossings

11 July 2025

The Prime Minister Keir Starmer and French President Emmanuel Macron, have agreed a scheme to address illegal Channel crossings and dismantle the people smuggling networks.

IFS appoints Kriti Sharma as CEO of Nexus Black

Aerospace Security

IFS appoints Kriti Sharma as CEO of Nexus Black

11 July 2025

IFS has appointed Kriti Sharma as CEO of IFS Nexus Black. This strategic move reinforces IFS’s commitment to industrial AI and fast-tracks the development of agentic AI systems designed for the asset- and service-intensive industries it serves.

Advertisement
Teledyne