20 Year Old Russian LockBit Ransomware Affiliate Arrested in Arizona
The US Department of Justice (DoJ) on Thursday launched charges against a Russian citizen for his alleged involvement in deploying LockBit ransomware to targets in the US, Asia, Europe and Africa.
Ruslan Magomedovich Astamirov, 20, from the Chechen Republic has been accused of carrying out at least five attacks between August 2020 and March 2023. He was arrested in the state of Arizona last month.
“Astamirov is alleged to have participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and intentionally damage protected computers and demand ransom through the use and distribution of the ransomware,” DoJ said.
Astamirov, as part of LockBit-related activities, manages various email addresses, IP addresses, and other online accounts to spread ransomware and communicate with victims.
Law enforcement agencies said they were able to trace part of the unnamed victim’s ransom payment to a virtual currency address operated by Astamirov.
The defendant, if found guilty, is threatened with a maximum imprisonment of 20 years for the first count and a maximum imprisonment of 5 years for the second count.
Astamirov is the third person prosecuted in the US in connection with LockBit after Mikhail Vasiliev, who is currently awaiting extradition to the US, and Mikhail Pavlovich Matveev, who was indicted last month for his participation in the LockBit, Babuk, and Hive ransomware. Matveev is still at large.
Recently interview with The Record, Matveev said he was not surprised by the decision by the Federal Bureau of Investigation (FBI) to include his name on the list. Cyber Most Wanted List and that “news of me will soon be forgotten.”
Matveev, who claims to be self-taught, also acknowledged his role as an affiliate for the now-defunct Hive operation, and expressed his desire to “take IT in Russia to the next level.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The DoJ statement also comes a day after cybersecurity authorities from Australia, Canada, France, Germany, New Zealand, the UK and the US released a joint advisory warning about the LockBit ransomware.
LockBit functions under a ransomware-as-a-service (RaaS) model, in which a core team recruits affiliates to carry out attacks on corporate networks on their behalf in exchange for a cut of illicitly obtained proceeds.
Affiliates are known to use a double extortion technique by first encrypting the victim’s data and then extracting the data while threatening to post the stolen data on leaked sites in an attempt to pressure the target into paying the ransom.
The group is estimated to have carried out nearly 1,700 attacks since appearing in late 2019, although the exact number is believed to be higher as dark web data breaching sites only disclosed the names and data leaks of victims who refused to pay ransoms.
