The FBI, UK National Crime Agency, and Europol revealed the identity of the admin of the LockBit operation and sanctioned him.

The FBI, UK National Crime Agency, and Europol have unmasked the identity of the admin of the LockBit ransomware operation, aka ‘LockBitSupp’ and ‘putinkrab’ , and issued sanctions against him. It was the first time that the admin of the notorious group was identified by law enforcement.

The man is a Russian national named Dmitry Yuryevich Khoroshev (31) of Voronezh, Russia.

“The sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.” reads the press release published by NCA.

The NCA states that Khoroshev will now be subject to a series of asset freezes and travel bans.

“Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.” continues the NCA.

According to the UK agency, data retrieved from the systems belonging to the ransomware gang revealed that from June 2022 to February 2024, the criminals gave orchestrated over 7,000 attacks. The most targeted countries included the US, UK, France, Germany, and China.

LockBit operation targeted over 100 hospitals and healthcare companies, resulting in at least 2,110 victims. The NCA states that despite the group attempted to rebuild its operation, the international law enforcement operation carried out in February severely impacted the gang’s activities.

LockBit created a new leak site to inflate their apparent activity. Since the NCA’s intervention in February, LockBit attacks in the UK have decreased by 73%, with similar reductions reported in other countries. The investigation also provided insight into the group’s operations and network.

The NCA added that of the 194 affiliates identified as using LockBit’s services up until February 2024:

• 148 built attacks.
• 119 engaged in negotiations with victims, meaning they definitely deployed attacks.
• Of the 119 who began negotiations, there are 39 who appear not to have ever received a ransom payment.
• 75 did not engage in any negotiation, so also appear not to have received any ransom payments.

The US government also charged in the past other five LockBit members, Artur Sungatov, Ivan Kondratyev (Bassterlord), Ruslan Magomedovich Astamirov, Mikhail Matveev (Wazawaka), and Mikhail Vasiliev.

“These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong.” NCA Director General Graeme Biggar said.

“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community. The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.”

“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues. We are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world.”

According to Europol, law enforcement agencies have obtained over 2,500 decryption keys and are contacting the LockBit victims to offer assistance. With Europol’s support, agencies like the Japanese Police, the National Crime Agency, and the FBI have developed decryption tools to recover files encrypted by LockBit ransomware. These tools are now accessible for free on the No More Ransom portal in 37 languages.

“Europol has been exploiting the vast amount of data gathered during the investigation and the first phase of action to identify these victims, who are located all over the world. Its European Cybercrime Centre (EC3) has disseminated some 3 500 intelligence packages containing information about Lockbit victims to 33 countries.” reads the announcement published by Europol.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

MITRE published more details on the recent security breach, including a timeline of the attack and attribution evidence.

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.

According to the MITRE Corporation, a nation-state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887).

MITRE spotted a foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.

The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration. 

Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.

The organization said that the core enterprise network or partners’ systems were not affected by this incident.

Mitre researchers reported that the indicators of compromise that were observed during the security breach overlap with those Mandiant associated with UNC5221, which is a China-linked APT group.

The state-sponsored hackers first gaining initial access to NERVE on December 31, then they deployed the ROOTROT web shell on

The adversary deployed the ROOTROT web shell on Internet-facing Ivanti appliances.

On January 4, 2024, the threat actors conducted a reconnaissance on NERVE environment. They accessed vCenter through a compromised Ivanti appliance and communicated with multiple ESXi hosts. The attackers used hijacked credentials to log into several accounts via RDP and accessed user bookmarks and file shares to probe the network.

Then the nation-state actors manipulated VMs to compromise the overall infrastructure.

“The adversary manipulated VMs and established control over the infrastructure. The adversary used compromised administrative credentials, authenticated from an internal NERVE IP address, indicating lateral movement within the NERVE.” reads the update published by Mitre. “They attempted to enable SSH and attempted to destroy one of their own VMs as well as POSTed to /ui/list/export and downloaded a file demonstrating a sophisticated attempt to conceal their presence and maintain persistence within the network.”

On January 7, 3034, the adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a web shell tracked as BEEFLUSH, enabling persistent access and arbitrary command execution.

The hackers relied on SSH manipulation and script execution to maintain control over the compromised systems. Mitre noted attackers exploiting a default VMware account to list drives and generate new VMs, one of which was removed on the same day. BRICKSTORM was discovered in directories with local persistence setups, communicating with designated C2 domains. BEEFLUSH interacted with internal IP addresses, executing dubious scripts and commands from the vCenter server’s /tmp directory

In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE (aka GIFTEDVISITOR) web shell, and the BUSHWALK webshell for data exfiltration.

Between mid-February and mid-March, before MITRE discovered the security breach in April, threat actors maintained persistence in the NERVE environment and attempted lateral movement. The organization pointed out that the nation-state actors failed to compromise other resources. 

“Despite unsuccessful attempts to pivot to other resources, the adversary persisted in accessing other virtual environments within Center.” concludes the update that includes malware analysis and Indicators of Compromise for the involved payloads. “The adversary executed a ping command for one of MITRE’s corporate domain controllers and attempted to move laterally into MITRE systems but was unsuccessful.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)

Alexander Vinnik, a Russian operator of virtual currency exchange BTC-e pleaded guilty to participating in a money laundering scheme.

Alexander Vinnik, a Russian national, pleaded guilty to conspiracy to commit money laundering for his involvement in operating the cryptocurrency exchange BTC-e from 2011 to 2017. BTC-e processed over $9 billion in transactions and served over one million users globally, including many in the United States. In July 2017 law enforcement shut down the virtual currency exchange.

Greek Police arrested the Russian national in 2017, and they accused the man of running the BTC-e Bitcoin exchange to launder billions worth of cryptocurrency.

The virtual currency exchange received criminal proceeds from various illegal activities, including computer intrusions, ransomware attacks, identity theft, corruption, and drug distribution.

Vinnik promoted unlawful activities carried out through BTC-e and was responsible for at least $121 million in losses.

“BTC-e had no anti-money laundering (AML) and/or “know-your-customer” (KYC) processes and policies in place, as federal law also requires. BTC-e collected virtually no customer data at all, which made the exchange attractive to those who desired to conceal criminal proceeds from law enforcement.” reads the press release published by DoJ. “BTC-e relied on shell companies and affiliate entities that were similarly unregistered with FinCEN and lacked basic anti-money laundering and KYC policies to electronically transfer fiat currency in and out of BTC-e. Vinnik set up numerous such shell companies and financial accounts across the globe to allow BTC-e to conduct its business.” 

In July 2018, a Greek lower court agreed to extradite Vinnik to France to face charges of hacking, money laundering, extortion, and involvement in organized crime.

French authorities accused Vinnik of defrauding more than 100 people in six French cities between 2016 and 2018.

French prosecutors revealed that among the 188 victims of the Vinnik’s attacks, there were local authorities, businesses, and individuals across the world.

In June, New Zealand police had frozen NZ$140 million (US$90 million) in assets linked to a Russian cyber criminal. New Zealand police had worked closely with the US Internal Revenue Service on the case and the investigation is still ongoing.

Vinnik denied charges of extortion and money laundering and did not answer magistrates’ questions, his lawyer also announced that is evaluating whether to appeal.

French prosecutors believe Vinnik was one of the authors of the Locky ransomware that was also employed in attacks on French businesses and organizations between 2016 and 2018.

At his trial, Vinnik explained that he was not the kingpin of the organization, he claimed t have served only as a technical operator executing the instructions of BTC-e directors.

Vinnik was convicted of money laundering but prosecutors didn’t find enough evidence to convict him of extortion.

“The court convicted Vinnik of money laundering but didn’t find enough evidence to convict him of extortion, and stopped short of the 10-year jail term and 750,000 euros in fines that prosecutors had requested.” reported the Associated Press.

“One of his French lawyers, Ariane Zimra, said his conviction for money laundering “doesn’t make sense,” arguing that cryptocurrency is not legally considered “money.”

Subsequently, Vinnik returned to Greece before being extradited to the U.S..

“Today’s result shows how the Justice Department, working with international partners, reaches across the globe to combat cryptocrime,” said Deputy Attorney General Lisa Monaco. “This guilty plea reflects the Department’s ongoing commitment to use all tools to fight money laundering, police crypto markets, and recover restitution for victims.”

In February, the U.S. charged Aliaksandr Klimenka, a Belarusian and Cypriot national linked with the cryptocurrency exchange BTC-e. The man is facing charges of money laundering conspiracy and operation of an unlicensed money services business.

According to the indictment, Klimenka allegedly controlled the platform BTC-e with Alexander Vinnik and others. Klimenka also allegedly controlled a technology services company named Soft-FX, and the financial company FX Open. 

The servers that were hosting the BTC-e were maintained in the United States, and according to the DoJ, they were allegedly leased to and maintained by Klimenka and Soft-FX.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Alexander Vinnik)