The U.S. Department of Justice (DoJ) has brought charges against a Russian individual for his alleged involvement in the deployment of LockBit ransomware across multiple regions, including the U.S., Asia, Europe, and Africa.
The accused, Ruslan Magomedovich Astamirov, a 20-year-old from the Chechen Republic, stands accused of conducting at least five attacks between August 2020 and March 2023. He was apprehended in Arizona last month.
According to the DoJ, Astamirov has conspired with other members of the LockBit ransomware campaign to commit wire fraud, intentionally damage protected computers, and extort victims through the deployment of ransomware.
As part of his role in the LockBit operations, Astamirov managed various email addresses, IP addresses, and online accounts to distribute the ransomware and communicate with victims. Law enforcement agencies could trace a portion of a ransom payment made by an undisclosed victim to a virtual currency address associated with Astamirov.
If convicted, the defendant could face a maximum prison sentence of 25 years for both charges.
After the case of Mikhail Vasiliev and Mikhail Pavlovich Matveev, Astamirov is the third individual prosecuted in the U.S. in connection with LockBit. Vasiliev is currently awaiting extradition, while Matveev was recently indicted for his involvement in LockBit, Babuk, and Hive ransomware but remained at large.
In an interview with The Record, Matveev expressed his lack of surprise at being included in the FBI’s Cyber Most Wanted list, stating that the attention would soon fade. He admitted to his affiliation with the now-defunct Hive operation and described himself as self-taught, expressing his ambition to elevate IT in Russia.
The DoJ’s announcement coincided with a joint advisory issued by cybersecurity authorities from Australia, Canada, France, Germany, New Zealand, the U.K., and the U.S., warning about the dangers posed by LockBit ransomware.
LockBit operates on the ransomware-as-a-service (RaaS) model, focusing on recruiting affiliates to attack corporate networks and share illicit profits. These affiliates commonly employ double extortion techniques, encrypting victim data and threatening to leak it on failure to pay ransoms.
The group has reportedly conducted nearly 1,700 attacks since its emergence in late 2019. However, the number is likely higher, given that the dark web data leak site only reveals information about victims who refuse to pay the ransoms.