AFP helps ransomware victims during global operation’s second phase

The AFP continues to investigate global criminal ransomware group LockBit after a Russian member of the group was today penalised for his involvement in extorting victims, including Australians.

The AFP acknowledges a decision by Australian, US and UK governments to impose financial sanctions and a travel ban on Dmitry Yuryevich Khoroshev for the senior position he held in LockBit.

This is the second use of Australia’s thematic autonomous cyber sanctions framework. In October last year, the Australian, US and UK governments sanctioned Russian man Alexander Ermakov for his role in the cyber attack on Medibank Private.

The sanction today imposed on Khoroshev builds on the recent disruptive action undertaken by international law enforcement under the coordinated, global, National Crime Agency-led Operation Cronos.

Operation Cronos is centred on targeting LockBit, which is known for its ransomware off-the-shelf products sold to cyber criminals.

The AFP’s domestic investigation, working alongside Operation Cronos, is Operation Orcus Junkers. It began in November 2021 and continues.

Operation Orcus Junkers sits within the standing Aquila Taskforce, which includes the AFP and the Australian Signals Directorate (ASD).

The AFP is working with state and territory police to work through the 119 reports of crime involving Australian businesses and individuals who were targeted by LockBit.

In many cases, Australian victims had their data exfiltrated, encrypted, or both, severely impacting business and individuals.

The AFP is working closely with Australian LockBit victims and is assisting overseas law enforcement to help continue building a global case against the ransomware group.

In conjunction with DFAT, domestic and international law enforcement and intelligence partners, the AFP led the development of the sanction Statement of Case, which was based on comprehensive local and international intelligence and law enforcement holdings.

AFP Cyber Command Acting Assistant Commissioner Chris Goldsmid said the AFP had worked with key partners to gather evidence and intelligence to identify LockBit offenders and their infrastructure.

“A decision to publicly name Khoroshev is supported by the AFP,” Acting Assistant Commissioner Goldsmid said.

“By taking away his anonymity, it has severely undermined Khoroshev’s credibility with cyber criminals and also signals any dealings they have with him could be subject to law enforcement action.

“Since 2019, LockBit has caused billions of dollars’ worth of harm across the globe, including millions of dollars lost by Australian individuals and businesses.

“In cooperation with international partners under Operation Cronos, the AFP has used information collected to trace the global LockBit network and build the global case against the ransomware criminal group.

“For months now, the AFP has been sharing information with Operation Cronos partners to dismantle LockBit, which is considered the world’s most prolific ransomware group.

“In Australia, we have a range of evidence and information to work through, including IP addresses, tools and software deployed on Australian-owned systems, plus the infrastructure and communication used by cyber criminals.

“In terms of the role and capability provided by the AFP, our investigators have helped attribute LockBit affiliates as well as other facilitators of cybercrime used by the group.

“This has been done through analysis of evidence and intelligence gathered during domestic investigative activity in partnership with domestic law enforcement as well as joint analysis of overseas partner information within Operation Cronos.

“This sanction is a result of a truly global effort and the strong and productive partnership between the AFP and ASD, plus the longstanding partnerships and joint operations with international partners under Operation Cronos.”

The investigation into LockBit continues. As there are still ongoing investigations in relation to this group, it would not be appropriate to go into further operational details at this time.

Operational Cronos in February disrupted LockBit’s critical infrastructure, including its primary platform and 34 servers across Australia, Netherlands, Germany, Finland, France, Switzerland, the United States and the United Kingdom.

After seizing control in February, the ransomware group’s leak site on the dark web was redesigned by law enforcement to host instead a series of articles exposing the different actions undertaken against LockBit.

It meant the world’s most prolific criminal ransomware group was seriously hindered by global law enforcement action.

It allowed law enforcement to post on LockBit’s dark web site that they had been severely compromised by law enforcement.

The group’s unlawful profits have been frozen by law enforcement, including more than 200 cryptocurrency accounts allegedly owned by ransomware group members.

In response to the growing cyber threat, the AFP and ASD established Operation Aquila in November 2022 to investigate, target and disrupt cybercriminal syndicates, with a priority on ransomware threat groups.

Under Operation Aquila, the AFP and ASD investigate the highest priority cyber criminals targeting Australia, including the LockBit and BlackCat ransomware groups.

/Public Release. View in full here.