COURT DOC: Two Foreign Nationals Plead Guilty to Participation in LockBit Ransomware Group

“NEWARK, N.J. –Two foreign nationals pleaded guilty today in Newark federal court to participating in the LockBit ransomware group – at various times the most prolific ransomware variant in the world – and to deploying LockBit attacks against victims in the United States and worldwide.”

“According to court documents:

Ruslan Magomedovich Astamirov (АСТАМИРОВ, Руслан Магомедовичь), 21, a Russian national of Chechen Republic, Russia, and Mikhail Vasiliev, 34, a dual Canadian and Russian national of Bradford, Ontario, were members of LockBit. The LockBit ransomware variant first appeared in January 2020. Between that time and February 2024, LockBit grew into what was at times the most active and destructive ransomware group in the world. The LockBit group attacked more than 2,500 victims in at least 120 countries around the world, including 1,800 in the United States. Those victims ranged from individuals and small businesses to multinational corporations, and they included hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. LockBit’s members extracted at least approximately $500 million in ransom payments from their victims and caused billions of dollars in broader losses, including costs like lost revenue and incident response and recovery.”

“LockBit’s ‘affiliate’ members, including Vasiliev and Astamirov, would first identity and unlawfully access vulnerable computer systems. They would then deploy LockBit ransomware on victim computer systems and both steal and encrypt stored data. After a successful LockBit attack, LockBit’s affiliate members would then demand a ransom from their victims in exchange for decrypting the victims’ data and deleting stolen data. When victims did not pay the demanded ransoms, LockBit’s affiliates would then leave the victim’s data permanently encrypted and publish the stolen data, including highly sensitive information, on a publicly accessible Internet site under LockBit’s control.”

“Between 2020 and 2023, Astamirov deployed LockBit against at least 12 victims, including businesses in Virginia, Japan, France, Scotland, and Kenya. Operating under the online aliases ‘BETTERPAY,’ ‘offtitan,’ and ‘Eastfarmer,’ he derived at least $1.9 million in ransom payments from those victims. As part of his plea agreement, Astamirov agreed to forfeit, among other assets, $350,000 in seized cryptocurrency that he extorted from one of his LockBit victims. Astamirov was first charged and arrested in this matter in June 2023.”

“Between 2021 and 2023, Vasiliev, operating under the online aliases ‘Ghostrider,’ ‘Free,’ ‘Digitalocean90,’ ‘Digitalocean99,’ ‘Digitalwaters99,’ and ‘Newwave110,’ deployed LockBit against at least 12 victims, including businesses in New Jersey, Michigan, the United Kingdom, and Switzerland. He also deployed LockBit against an educational facility in England and a school in Switzerland. Through these attacks, Vasiliev caused at least $500,000 in damage and losses to his victims. Vasiliev was first charged in this matter and arrested in Canada by Canadian authorities in November 2022, and extradited to the United States in June.”

The LockBit Investigation

“Today’s guilty pleas follow a recent a disruption of LockBit ransomware in February by the U.K. National Crime Agency’s (NCA) Cyber Division, which worked in cooperation with the Justice Department, FBI, and other international law enforcement partners. As previously announced by the Department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data. This disruption succeeded in greatly diminishing LockBit’s reputation and its ability to attack further victims, as alleged by documents filed in this case.”

“Today’s guilty pleas also follow charges brought in the District of New Jersey against other LockBit members, including its alleged creator, developer, and administrator, Dmitry Yuryevich Khoroshev. An indictment against Khoroshev unsealed in May alleges that Khoroshev began developing LockBit as early as September 2019, continued acting as the group’s administrator through 2024, a role in which Khoroshev recruited new affiliate members, spoke for the group publicly under the alias “LockBitSupp,” and developed and maintained the infrastructure used by affiliates to deploy LockBit attacks. Khoroshev also took 20 percent of each ransom paid by LockBit victims, allowing him to personally derive at least $100 million over that period. Khoroshev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program, with information accepted through the FBI tip website at www.tips.fbi.gov.”

“A total of six LockBit members, including Khoroshev, the alleged developer, and Astamirov and Vasiliev, both affiliates, have now been charged in the District of New Jersey. Other LockBit charges include:

• In February, in parallel with the disruption operation, an indictment was unsealed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries.
• In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Mikhail Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C., Metropolitan Police Department. Matveev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s TOC Rewards Program, with information accepted through the FBI tip website at www.tips.fbi.gov/.” (Source: US Department of Justice)