A Russian national charged for committing LockBit Ransomware attacks

DoJ charged a Russian national with conspiring to carry out LockBit ransomware attacks against U.S. and foreign businesses.

The Justice Department announced charges against the Russian national Ruslan Magomedovich Astamirov (20) for his role in numerous LockBit ransomware attacks against systems in the United States, Asia, Europe, and Africa. The US authorities arrested the man in Arizona last month

DoJ states that from at least as early as August 2020 to March 2023, Astamirov and other members of the LockBit ransomware gang committed wire fraud and compromised many computer systems worldwide attempting to extort the victims of ransomware attacks.

US authorities believe that Astamirov conducted at least five attacks against victim computer systems in the United States and abroad.  

Astamirov controlled multiple email addresses, and IP addresses, and other online provider accounts that were employed in LockBit ransomware attacks. In at least one attack, the authorities were able to trace a portion of a ransom payment to a wallet under the control of Astamirov.

“This LockBit-related arrest, the second in six months, underscores the Justice Department’s unwavering commitment to hold ransomware actors accountable,” said Deputy Attorney General Lisa O. Monaco. “In securing the arrest of a second Russian national affiliated with the LockBit ransomware, the Department has once again demonstrated the long arm of the law. We will continue to use every tool at our disposal to disrupt cybercrime, and while cybercriminals may continue to run, they ultimately cannot hide.”

If convicted, Astamirov faces a maximum penalty of 20 years in prison on a charge with commit wire fraud and a maximum penalty of five years in prison on the charge of conspiring to intentionally damage protected computers and to transmit ransom demands. Both charges can also be punished by a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest.

In November 2022, the U.S. Department of Justice (DoJ) charged Mikhail Vasiliev, a dual Russian and Canadian national, for his alleged participation in the LockBit ransomware operation.

The man is currently in custody in Canada and is awaiting extradition to the United States.

In May, the US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar, for his alleged role in multiple ransomware attacks.

The DoJ unsealed two indictments charging the man with using three different ransomware families in attacks aimed at numerous victims throughout the United States. The attacks hit law enforcement agencies in Washington, D.C. and New Jersey, as well as organizations in the healthcare and other sectors nationwide.

On or about June 25, 2020, Matveev and his LockBit coconspirators targeted a law enforcement agency in Passaic County, New Jersey. On or about May 27, 2022, the man and his Hive coconspirators allegedly hit a nonprofit behavioral healthcare organization in New Jersey. On April 26, 2021, Matveev and his Babuk coconspirators hit the Metropolitan Police Department in Washington, D.C.

The Russian citizen has been charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, the man could face a sentence of over 20 years in prison. 

The man is suspected to be living in Russia and is operating from that country. Clearly, due to the ongoing geopolitical crisis, it’s unlikely that Russia will capture the man to extradite him to the United States. 

According to a joint advisory published by cybersecurity agencies, the LockBit ransomware group has successfully extorted roughly $91 million in about 1,700 attacks against U.S. organizations since 2020.

The LockBit ransomware operation was the most active in 2022 and according to the researchers it is one of the most prolific RaaS in 2023. The operation targeted many organizations in critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The advisory highlights that due to the large number of unconnected affiliates in RaaS, the TTPs observed in the LockBit ransomware attacks have a significant variance.

Lockbit was responsible for 18% of the total reported Australian ransomware incidents from April 1, 2022, to March 31, 2023.

16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC is 2022 were LockBit attacks. The group targeted municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit ransomware