Federal law enforcement has apprehended a Russian national for participating in a number of LockBit ransomware and other cyberattacks against victims’ computers in the U.S., Europe, Asia and Africa, the U.S. Justice Department said in a court filing.
Ruslan Magomedovich Astamirov of Chechen Republic, Russia, is charged with conspiring to commit wire fraud and to intentionally damage protected computers and transmit ransom demands, the Justice Department said. Astamirov was arrested on the complaint in Arizona and is scheduled to make his initial appearance in the District of Arizona.
U.S. Attorney Philip Sellinger, warned any other perpetrators will be apprehended and brought to justice:
“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended. The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”
CISA Issues Advisory Over Threat Actors
Astamirov’s arrest comes as the Cybersecurity and Infrastructure Security Agency (CISA) has issued a lengthy advisory entitled Understanding Ransomware Threat Actors featuring the activities of LockBit, the most prolific of all ransomware families. The document is the brainchild of authoring agencies in Australia, Canada, the U.K., France, Germany and New Zealand.
According to the advisory:
- LockBit first appeared around January, 2020.
- In 2022, LockBit was the most active global ransomware group and ransomware-as-a-service (RaaS) provider in terms of the number of victims claimed on their data leak site.
- In 2022, 16% of the state, local, tribal, and tribunal (SLTT) government ransomware incidents were identified as LockBit attacks.
- This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).
- Total of U.S. ransoms paid to LockBit are approximately $91M since LockBit activity was first observed.
- Attacked as recently as May 25, 2023.
- Since 2021, LockBit affiliates have employed double extortion by first encrypting victim data and then exfiltrating that data while threatening to post the stolen data on leak sites.
- Up to Q1 2023, a total of 1,653 alleged victims were observed on LockBit leak sites.
According to documents in the Astamirov case:
- LockBit actors have executed over 1,400 attacks against victims in the U.S. and worldwide.
- LockBit operatives have issued more than $100 million in ransom demands.
- LockBit bad actors have received at least as much as tens of millions of dollars in actual ransom payments made in the form of bitcoin.
Suspect's Alleged Crimes Detailed
Astamirov allegedly owned, controlled, and used a variety of email addresses, internet protocol (IP) addresses, and other online provider accounts that allowed him and his co-conspirators to deploy LockBit ransomware and to communicate with their victims. Additionally, in at least one circumstance, law enforcement was able to trace a portion of a victim’s ransom payment to a virtual currency address in Astamirov’s control.
Astamirov’s case will be tried in New Jersey, which is handling the cases of two other men accused of participating in LockBit ransomware attacks. Mikhail Vasiliev, a dual Russian and Canadian national, was arrested in November, and Mikhail Pavlovich Matveev, also known as Wazawaka, was indicted in May for alleged roles in LockBit attacks along with other cyber activities. Matveev, a Russian national, remains at large.
Commenting on the case, FBI Newark Special Agent in Charge James E. Dennehy said:
“These cybercriminals hide in a virtual world but cause very real harm when they seize control of computer systems, putting companies and customers in an unimaginable bind. Either pay the ransoms or lose control of your entire information technology infrastructure. It is too high a price for anyone to be forced to pay. Astamirov's arrest, along with the others charged in this case, is a simple but devastating illustration of how we are following through on our promise. We are bringing these hackers to justice."
On paying ransoms, CISA and the authoring agencies recommend:
“The authoring organizations do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the authoring organizations urge you to promptly report ransomware incidents to your country’s respective authorities.”