Two Russians Plead Guilty to Involvement in LockBit Ransomware Attacks
Share
Two Russian nationals have confessed to their roles in numerous LockBit ransomware attacks, which targeted victims in the United States and worldwide. The Justice Department announced on Thursday that Ruslan Magomedovich Astamirov, a Russian national, and Mikhail Vasiliev, a dual Canadian/Russian national, were affiliates of LockBit’s ransomware-as-a-service operation.
Affiliates like Vasiliev and Astamirov identified and breached vulnerable systems, stole sensitive data, and deployed ransomware to encrypt files. They demanded ransoms for not leaking the stolen data online and decrypting the files. If the ransoms were not paid, LockBit would permanently encrypt the data and publish the stolen files, including highly sensitive information, on their dark web leak site.
According to court documents, Astamirov, also known as BETTERPAY, offtitan, and Eastfarmer, used LockBit ransomware between 2020 and 2023 against at least a dozen victims, including businesses in Virginia, Japan, France, Scotland, and Kenya, amassing at least $1.9 million in ransom payments.
From 2021 to 2023, Vasiliev, also known as Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110, conducted at least 12 ransomware attacks, impacting businesses in New Jersey, Michigan, the United Kingdom, and Switzerland, resulting in approximately $500,000 in damages and losses, as per his guilty plea.
Astamirov was arrested in Arizona in June 2023 and charged with deploying LockBit ransomware. Vasiliev, who was extradited to the United States in June, has already been sentenced to four years in prison by an Ontario court for his role in the LockBit ransomware operation.
While Astamirov’s sentencing date has not been set, he could face up to 25 years in prison. Vasiliev, however, could receive a maximum sentence of 45 years.
Six other members of the LockBit ransomware group have also been charged in the U.S. Notable arrests include Mikhail Pavlovich Matveev (aka Wazawaka) in May 2023, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) in February 2024, and Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab) in May 2024.
LockBit emerged in September 2019 under the name ABCD and has been associated with attacks on prominent companies and organizations, including Boeing, the Continental automotive giant, Bank of America, the Italian Internal Revenue Service, and the UK Royal Mail.
In February 2024, law enforcement executed Operation Cronos, dismantling LockBit’s infrastructure and seizing 34 servers. These servers contained over 2,500 decryption keys, which were used to create a free LockBit 3.0 Black Ransomware decryptor.
The U.S. Department of Justice and the U.K.’s National Crime Agency estimate that the group extorted between $500 million and $1 billion from at least 7,000 attacks between June 2022 and February 2024.Despite these efforts, LockBit remains active, relocating to new servers and dark web domains. The group continues to target victims and release both old and new data in retaliation to the recent takedown of its infrastructure by U.S. and U.K. authorities.