Russian Affiliate Behind LockBit Ransomware Apprehended in Arizona at Age 20
The U.S. Department of Justice (DoJ) has announced charges against a Russian national for his alleged involvement in deploying LockBit ransomware to targets across different regions. The accused, Ruslan Magomedovich Astamirov, a 20-year-old from Chechen Republic, is said to have carried out at least five attacks between August 2020 and March 2023. Astamirov was apprehended in Arizona last month.
According to the DoJ, Astamirov participated in a conspiracy with other members of the LockBit ransomware campaign, engaging in wire fraud and intentionally damaging protected computers. The group deployed ransomware and made ransom demands. Astamirov managed various email addresses, IP addresses, and online accounts to deploy the ransomware and communicate with the victims.
Law enforcement agencies were able to trace a portion of a victim’s ransom payment to a virtual currency address operated by Astamirov.
If convicted, Astamirov faces a maximum penalty of 20 years in prison for the first charge and a maximum penalty of five years in prison for the second charge.
Astamirov is the third individual to face prosecution in the U.S. in connection with LockBit, following Mikhail Vasiliev, who awaits extradition, and Mikhail Pavlovich Matveev, who was indicted last month for involvement in LockBit, Babuk, and Hive ransomware. Matveev remains at large.
In a recent interview, Matveev expressed no surprise at being included in the FBI’s Cyber Most Wanted list, claiming that the news about him would be forgotten soon. He admitted his role as an affiliate for the now-defunct Hive operation and expressed a desire to elevate IT in Russia to the next level.
The DoJ’s statement follows a joint advisory by cybersecurity authorities from Australia, Canada, France, Germany, New Zealand, the U.K., and the U.S., warning about LockBit ransomware.
LockBit operates under the ransomware-as-a-service (RaaS) model, where the core team recruits affiliates to carry out attacks against corporate networks on their behalf in exchange for a share of the proceeds. The affiliates utilize double extortion techniques by encrypting victim data and threatening to leak it if the ransom is not paid.
Since its emergence in late 2019, LockBit has launched approximately 1,700 attacks, although the actual number could be higher. The group selectively reveals the names and leaked data of victims who refuse to pay ransoms on dark web leak sites.
