Security news that informs and inspires

DoJ Charges Alleged Russian LockBit Ransomware Affiliate


The Department of Justice (DoJ) has arrested and charged a Russian national who allegedly worked as a LockBit ransomware affiliate to target businesses worldwide.

According to charges released Thursday by the DoJ, 20-year-old Ruslan Magomedovich Astamirov of Chechen Republic was allegedly involved in five LockBit ransomware attacks between 2020 and 2023, which were launched both against organizations in the U.S. - including ones in West Palm Beach, Fla. and Virginia - and abroad, including ones in Japan, France and Kenya.

With LockBit being one of the more prevalent ransomware families to currently exist, the U.S. has been hunting down affiliates that are involved in attacks that deploy the ransomware. Astamirov is the third to be charged by the DoJ in LockBit-related charges, following criminal charges in November 2022 against dual Russian and Canadian national Mikhail Vasiliev and a May 16 indictment of Mikhail Pavlovich Matveev, a Russian national known by his hacker handle Wazawaka. Like Vasiliev, Astamirov is in custody after he was arrested in Arizona, and he made an initial appearance in court on Thursday.

“This Lockbit-related arrest, the second in six months, underscores the Justice Department’s unwavering commitment to hold ransomware actors accountable,” said Deputy Attorney General Lisa Monaco in a Thursday statement. “In securing the arrest of a second Russian national affiliated with the LockBit ransomware, the Department has once again demonstrated the long arm of the law. We will continue to use every tool at our disposal to disrupt cybercrime, and while cybercriminals may continue to run, they ultimately cannot hide.”

Investigators believe that Astamirov operated as a LockBit affiliate, as he allegedly received an 80 percent affiliate portion of a ransom payment (worth over $700,000 at the time of transaction) made by the victim in Kenya. Of note, the victim was also instructed to send the remaining 20 percent of the ransom payment to a different address believed to be the developer portion.

Law enforcement traced a portion of the victim’s ransom payment to a virtual currency address that was in Astamirov’s control. The DoJ also said that Astamirov allegedly leveraged a number of email addresses, IP addresses and online provider accounts that allowed him to deploy the LockBit ransomware and communicate with victims.

In addition to these charges, several U.S. agencies - including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI and international security agencies - this week released an advisory about the LockBit ransomware describing its key differentiators and urging enterprises to review their defensive strategies. According to the new report, LockBit affiliate operations have carried out 1,800 intrusions since the ransomware first appeared in 2020, and LockBit victims in the U.S. have paid the group more than $90 million in ransoms.

“In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023," according to the advisory. "Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation."