LockBit Takedown Indicates Shifting DOJ Cyber Strategy and Has Implications for Ransomware Victims

Kellen Dwyer, Colton Jackson, Seol Namgoong, Kimberly Kiefer Peretti
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

Alston & Bird

On May 7, 2024,  the United States unsealed an indictment against Dmitry Yuryevich Khoroshev, one of the leaders of the Russian-based ransomware group LockBit, for his alleged involvement in developing and distributing the LockBit ransomware. According to the indictment, Khoroshev performed both administrative and operational roles for the cybercrime group, including upgrading the LockBit infrastructure, managing LockBit affiliates, and recruiting new developers for the ransomware. Since emerging in 2020, LockBit has become one of the most prolific ransomware groups in the world, targeting over 2,500 victims worldwide and allegedly receiving more than $500 million in ransom payments, according to Department of Justice statistics. The group licenses its ransomware software of the same name to affiliate cybercriminal groups, which use the software to encrypt and steal data from victims’ systems. LockBit itself provides support and receives a portion of any ransom payment typically made in exchange for system decryption and promises to delete the stolen data.

The State Department offered a reward of up to $10 million for any information leading to the arrest of Khoroshev, who resides in Russia and remains at large. In addition, the Office of Foreign Assets Control (OFAC) added Khoroshev to its Specially Designated Nationals and Blocked Persons list (“SDN List”).

These actions may be indicative of a continued shift in DOJ’s cybercrime strategy to favor disruption over arrest and prosecution. Historically, the Justice Department has indicted Russian cybercriminals under seal and waited for the criminals to travel to a friendly country from which they could be extradited. So-called “name & shame” indictments are more commonly used against state-sponsored hackers and intelligence agents, who are far less likely to travel to the West than cybercriminals.

Companies that may be the victims of ransomware should take note of this case for two reasons.  First, the addition of a ransomware leader to the SDN list makes any ransom payment more perilous.  Companies considering paying a ransom will have to do increased due diligence to ensure that the payment is not going to Khoroshev—a difficult task when dealing with opaque and dishonest cybercriminals.  Second, companies considering a ransom payment should note that the Khoroshev indictment alleges that copies of stolen data were found in Khoroshev’s seized infrastructure, despite promises Lockbit allegedly made to victim companies that their data would be deleted after ransoms were paid.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide