The U.S. is offering a reward of up to $10 million for information leading to the arrest or conviction of a major player in the infamous ransomware gang that claimed responsibility for the 2023 cyberattack on dental benefits management company MCNA Dental.
Dmitry Yuryevich Khoroshev. Image courtesy of the U.S. Department of State.
On May 7, the U.S. designated Dmitry Yuryevich Khoroshev, a 31-year-old Russian national and core LockBit group leader, for his role in developing and distributing the cyber ring's ransomware. Also, the U.K. and Australia, whose authorities aided in the investigation, made this designation as well, according to a press release dated May 7 from the U.S. Department of the Treasury.
Worldwide, LockBit has targeted more than 2,500 victims and allegedly collected more than $500 million in ransom payments. Of those victims, about 1,800 have been in the U.S. Since January 2020, affiliates using LockBit have attacked organizations in many critical infrastructure sectors, including healthcare and financial services, according to a press release dated May 7 from the U.S. Department of State.
In May 2023, MCNA Dental announced that it had been struck by a ransomware attack, which may have exposed the personal data, including Social Security numbers, of nearly 9 million patients. LockBit took responsibility for the attack and claimed it had released 700GB of stolen data on its website after the dental benefits provider failed to pay the $10 million ransomware demand. One GB is equivalent to about 600 webpages of data.
Khoroshev allegedly worked in multiple operational and administrative roles for the cybercrime group and has benefited financially from the LockBit ransomware attacks. In addition, the Russian national is accused of facilitating the upgrading of the criminal organization's infrastructure, recruited new ransomware developers, and managed LockBit affiliates. Finally, he reportedly led efforts to continue the cybergang's attacks after the U.S. and its allies disrupted its operations in early 2024.
Due to the sanctions imposed, Khoroshev's property and interests in property in the U.S. or in possession or control of people in the U.S. must be blocked and reported to the treasury department's Office of Foreign Assets Control.
In general, the office's regulations ban all dealings by U.S. persons or within the U.S., including transactions transiting in the country. Additionally, those who engage in specific transactions with Khoroshev may be exposed to the same designation, according to the release.
Considered one of the most active and prolific ransomware groups in the world, LockBit operates on ransomware as a service model, where the group licenses its ransomware software to affiliated cybercriminals in exchange for payment, including a percentage of the paid ransoms. Under this model, the group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators, and supports their deployment of ransomware in exchange for upfront payment, subscription fees, a portion of profits, or a combination of them.
Additionally, LockBit is infamous for its double extortion tactics in which its cybercriminals extract large caches of data from victims before encrypting their computer systems and demanding ransom payments, according to the release.
