Two foreign nationals pleaded guilty Thursday to participating in the LockBit ransomware group—at various times the most prolific ransomware variant in the world—and to deploying LockBit attacks against victims in the United States and worldwide.
“Today’s convictions reflect the latest returns on the Department’s investment in disrupting ransomware threats, prioritising victims, and holding cybercriminals accountable,” said Deputy Attorney General Lisa Monaco. “In executing our all-tools cyber enforcement strategy, we’ve dealt significant blows to destructive ransomware groups like LockBit, as we did earlier this year, seizing control of LockBit infrastructure and distributing decryption keys to their victims.”
“The defendants committed ransomware attacks against victims in the United States and around the world through LockBit, which was one of the most destructive ransomware groups in the world,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division.
According to court documents, Ruslan Magomedovich Astamirov (АСТАМИРОВ, Руслан Магомедовичь), 21, a Russian national of the Chechen Republic, Russia, and Mikhail Vasiliev, 34, a dual Canadian and Russian national of Bradford, Ontario, were members of LockBit.
Between January 2020 and February 2024, LockBit grew into what was, at times, the most active and destructive ransomware group in the world. LockBit attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.
Those victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organisations, critical infrastructure, and government and law-enforcement agencies. LockBit’s members extorted at least approximately $500 million in ransom payments from their victims and caused billions of dollars in additional losses to victims, including costs like lost revenue and incident response and recovery.
LockBit’s “affiliate” members, including Vasiliev and Astamirov, first identified and unlawfully accessed vulnerable computer systems and then deployed LockBit ransomware to steal and encrypt stored data. When LockBit attacks were successful, LockBit’s affiliate members then demanded ransoms from their victims in exchange for decrypting the victims’ data and then claiming to delete the affiliates’ copies of the data.
When victims did not pay the demanded ransoms, LockBit’s affiliates often left the victim’s data permanently encrypted and published the stolen data, including highly sensitive information, on a publicly accessible internet site under LockBit’s control.
“Astamirov and Vasiliev thought that they could deploy LockBit from the shadows, wreaking havoc and pocketing massive ransom payments from their victims without consequence,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey.
“Astamirov and Vasiliev were members of the LockBit ransomware group, which has caused severe harm around the globe by attacking computer systems in over a hundred countries, damaging organisations ranging from government and law-enforcement agencies to hospitals and schools,” said FBI Deputy Director Paul Abbate.
Between 2020 and 2023, Astamirov deployed LockBit against at least 12 victims, including businesses in Virginia, Japan, France, Scotland, and Kenya. Operating under the online aliases “BETTERPAY,” “offtitan,” and “Eastfarmer,” he extorted $1.9 million from those victims. As part of his plea agreement, Astamirov agreed to forfeit, among other assets, $350,000 in seized cryptocurrency that he extorted from one of his LockBit victims. Astamirov was first charged and arrested in this matter in June 2023.
Between 2021 and 2023, Vasiliev, operating under the online aliases “Ghostrider,” “Free,” “Digitalocean90,” “Digitalocean99,” “Digitalwaters99,” and “Newwave110,” deployed LockBit against at least 12 victims, including businesses in New Jersey, Michigan, the United Kingdom, and Switzerland. He also deployed LockBit against an educational facility in England and a school in Switzerland.
Through these attacks, Vasiliev caused at least $500,000 in damage and losses to his victims. Vasiliev was first charged in this matter and arrested in Canada by Canadian authorities in November 2022 and extradited to the United States in June.
Astamirov pleaded guilty to a two-count information charging him with conspiracy to commit computer fraud and abuse and conspiracy to commit wire fraud. He faces a maximum penalty of 25 years in prison. Vasiliev pleaded guilty to a four-count information charging him with conspiracy to commit computer fraud and abuse, intentional damage to a protected computer, transmission of a threat in relation to damaging a protected computer, and conspiracy to commit wire fraud.
He faces a maximum penalty of 45 years in prison. A sentencing date has not yet been set. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Today’s guilty pleas follow a recent disruption of LockBit ransomware in February by the UK National Crime Agency’s (NCA) Cyber Division, which worked in cooperation with the Justice Department, FBI, and other international law enforcement partners.
As previously announced by the Department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organisation’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data. This disruption greatly diminished LockBit’s reputation and ability to attack further victims, as alleged by documents filed in this case.
Today’s guilty pleas also follow prior announcements of charges brought in the District of New Jersey against four other LockBit members, including its alleged creator, developer, and administrator, Dmitry Yuryevich Khoroshev. According to an indictment unsealed in May, Khoroshev allegedly acted as the group’s administrator from as early as September 2019 through 2024.
In that role, Khoroshev recruited new affiliate members, spoke for the group publicly under the alias “LockBitSupp,” and developed and maintained the infrastructure used by affiliates to deploy LockBit attacks. Khoroshev also took 20 per cent of each ransom paid by LockBit victims, allowing him to personally derive at least $100 million over that period.
Khoroshev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s Transnational Organised Crime (TOC) Rewards Program, with information accepted through the FBI tip website at https://tips.fbi.gov/home.
In February 2024, in parallel with the disruption operation, an indictment was unsealed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries.
In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey, charging Mikhail Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C., Metropolitan Police Department. Matveev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s TOC Rewards Program, with information accepted through the FBI tip website at tips.fbi.gov/.
The U.S. Department of State’s TOC Rewards Program is also offering rewards of up to $10 million for information leading to the identification and location of any individuals who hold a key leadership position in LockBit and up to $5 million for information leading to the arrest and conviction in any country of any individual participating or attempting to participate in LockBit.
Khoroshev, Matveev, Sungatov, and Kondratyev have also been designated for sanctions by the Department of the Treasury’s Office of Foreign Assets Control for their roles in launching cyberattacks.
- Former Army Reservist Cody Francis Guilty of Conspiring to Steal Government Funds - September 30, 2024
- Alphonse Bazile, Rayshaud Green Jailed 180 Months for Firearms Offences - September 30, 2024
- Gretna Resident Felix Mackey Sentenced to 192 Months in Prison for Methamphetamine, Cocaine Hydrochloride, Cocaine Base Trafficking - September 30, 2024
