NEWS: Australia Imposes Sanction On Second Russian Cybercriminal
Today the Nation Cyber Security Coordinator announced the second cyber sanction imposed by the Australian government on a foreign state threat actor, this is has been enabled by the work of the Australian Signals Directorate and the Australian Federal Police. Through their investigations into the lucrative cybercriminal group LockBit, they were able to identify a Russian national, Dmitry Yuryevich Khoroshev as holding a key leadership role at the group. This comes almost seven months after the Australian government imposed the first ever cyber sanction against Aleksandr Ermakov, for his involvement in the Medibank hack of October 2022, which resulted in the sensitive medical information of over 9 million Australians being leaked.
“Australia, together with our international partners, has today imposed its second cyber sanction—this time on a senior leader of the prolific LockBit ransomware group.
This targeted financial sanction imposed on Dmitry Yuryevich Khoroshev, a Russian national, is another demonstration of our commitment under the 2023-2030 Australian Cyber Security Strategy to continue to deter and respond to malicious cyber activity, including through the use of cyber sanctions when it is in our national interest to do so.
This sanction is the culmination of great work by the Australian Signals Directorate and Australian Federal Police, together with their international partners, to disrupt the criminal activity of Khoroshev and LockBit and impose costs and consequences for their actions.
Through the Cyber Security Strategy, we are working to break the ransomware business model and today’s announcement is another demonstration of Australia’s commitment to this.
We remain committed to promoting a rules-based cyberspace, grounded in international law and norms of responsible behaviour, and holding accountable those who flout the rules.”
What is LockBit?
LockBit is to-date one of the most prolific ransomware as-a-service (RaaS) operations, meaning they develop malicious software and then recruit affiliates (individuals or threat groups) to use the software, in exchange for a fee. LockBit was first detected in January 2020, and in early 2023 it was responsible for 18% of all reported ransomware attacks in Australia (ASD, 2024). Due to how commonly used it has been, and by the vast number of threat groups who have used it, the observed tactics, techniques, and procedures (TTPs) have been varied, which has made it difficult for organisations to defend against it.
LockBit affiliates have been observed using open source software which is intended for legitimate legal use, in conjunction with LockBit, to conduct multifaceted extortion by encrypting files on a compromised device to make the device inoperable, then giving the victim instructions to negotiate payment of a ransom, with the threat of leaking stolen data if the victim fails to pay.
Put simply, they hold your computer files and services ransom, and leak your data if you don’t pay.
Source: ASD ACSC
How To Defend Against LockBit
Threat actors rely on acquiring stolen credentials, brute-force attacking, or phishing emails to gain the initial access to the victim’s network or device. This means that some of the best ways to protect yourself and your business from attacks using LockBit include:
Strong, complex and unique passwords or passphrases at least 14 characters long, stored in a well-encrypted password management system.
Not reusing passwords for multiple sites or services to avoid credential stuffing. Understanding if your credentials have been leaked on the dark web and securing your accounts if they have. Learn more about credential stuffing here.
Solid understanding of phishing emails and social engineering tactics employed by LockBit affiliates. Not just relying on security software to stop you from downloading a file, as many threat actors have ways of bypassing popular security software protocols.
What Does This Sanction Mean?
Similar to the sanction imposed on Aleksandr Ermakov, this will heavily restrict the involvement Khoroshev can have with Australia and other countries.
Financial: Australian individuals and organizations are prohibited from conducting financial transactions with the sanctioned individuals. This makes it difficult for them to do business in Australia or receive any money from there.
Travel: Khoroshev is likely subject to a travel ban, preventing him from entering or transiting through Australia.
Public Designation: Being listed as a sanctioned individual carries a negative stigma. It signifies their involvement in malicious cyber activities and can damage their reputation in the international community.
It is likely Australia’s partner countries such as the USA and UK will impose similar sanctions. Whilst these restrictions may not seem like much, it will make it increasingly difficult for Khoroshev to conduct any business which requires international resources such as funding. Similar to Australia’s first sanction, it sends a clear message that the Australian government are fighting back against foreign state cyber criminals and actively hunting for those who have the greatest potential to disrupt our way of life in Australia.
References:
Understanding Ransomware Threat Actors: Lockbit - Joint Cybersecurity Advisory (2023) - https://www.cyber.gov.au/sites/default/files/2023-06/Understanding-Ransomware-Threat-Actors_LockBit.pdf
National Cyber Security Coordinator
Australian Signals Directorate’s Australian Cyber Security Centre