Two Russian nationals have pleaded guilty to their participation in the notorious LockBit ransomware gang, the US Department of Justice (DoJ) has announced.
Ruslan Magomedovich Astamirov, aged 34, and Mikhail Vasiliev, aged 34, pleaded guilty to a range of charges related to their involvement as affiliates to the ransomware-as-a-service (RaaS) group.
Astamirov pleaded guilty to conspiracy commit computer fraud and abuse and conspiracy to commit wire fraud. He faces a maximum penalty of 25 years in prison and has also agreed to forfeit $350,000 in seized cryptocurrency that he extorted from one of his LockBit victims.
Vasiliev pleaded guilty to four counts: conspiracy to commit computer fraud and abuse, intentional damage to a protected computer, transmission of a threat in relation to damaging a protected computer, and conspiracy to commit wire fraud. He faces a maximum penalty of 45 years in prison.
No sentencing date has been set so far for either individual.
How the LockBit Affiliates Operated
As affiliates of LockBit, the pair identified and unlawfully accessed vulnerable computer systems, before deploying LockBit ransomware to steal and encrypt stored data.
They would then demand ransoms from their victims in exchange for decrypting the data, and for claiming to delete the information they had exfiltrated.
If the ransom demand was not paid, the affiliates would leave the victim’s data permanently encrypted and publish the stolen data on LockBit’s darkweb leak site.
Astamirov deployed LockBit ransomware against at least 12 organizations between 2020 and 2023, extorting $1.9m from those victims. These organizations operated in a range of geographies, including Virginia, Japan, France, Scotland and Kenya.
Vasiliev, who is a dual Canadian and Russian national, also deployed the LockBit variant against at least 12 organizations, including educational facilities in the UK and Switzerland. Through these attacks, Vasiliev caused at least $500,000 in damage and losses to his victims.
LockBit was the most prolific ransomware operator in 2023 and early 2024.
Law Enforcement Targeting of LockBit
The US government said the convictions showed the growing ability of law enforcement to hold cybercriminals accountable for their actions, regardless of where they are located.
FBI Deputy Director Paul Abbate commented: “Today’s plea shows our relentless and unwavering commitment to ensuring that cybercriminals are brought to justice for their actions. The FBI is proud of the international collaboration that led to these individuals being held accountable under the law for the damage their actions have caused.”
Vasiliev was arrested in Ontario, Canada, in November 2022, before being extradited to the US.
The DoJ announced the arrest and charges against Astamirov in June 2023.
Both arrests occurred before Operation Cronos, a global law enforcement operation in February 2024 that took down infrastructure used by LockBit.
Operation Cronos saw LockBit’s data leak site and affiliate panel seized, 34 servers operated by LockBit seized, 14,000 “rogue accounts” involved with data exfiltration or the group’s infrastructure” closed and 200 cryptocurrency accounts linked to LockBit and its affiliates frozen.
Law enforcement agencies were also able to get hold of LockBit’s decryption keys in the operation, enabling previous victims to decrypt files that had been locked down by the group’s affiliates.
In May 2024, the US National Crime Agency (NCA) identified LockBit’s leader, Russian national Dmitry Yuryevich Khoroshev, and the US government unsealed an indictment against him. The US government has offered a $10m reward for information that leads to his arrest.
The charges allege that Khoroshev recruited new affiliate members, spoke for the group publicly under the alias “LockBitSupp,” and developed and maintained the infrastructure used by affiliates to deploy LockBit attacks from as early as September 2019 through to 2024.
He also allegedly took 20% of each ransom paid by LockBit victims, allowing him to derive at least $100m over that period.
The Return of LockBit
An analysis by NCC Group found that LockBit reemerged to become the most prominent ransomware actor in May 2024, launching 176 attacks throughout the month.
This followed a period of dormancy following operation Cronos.
In February 2024, a LockBit admin published a long message admitting negligence in enabling the law enforcement takedown, but insisted they were resuming their ransomware business, creating a new leak site.
Read now: New LockBit Variant Exploits Self-Spreading Features