LockBit Affiliate Arrested, as Extortion Totals Reach $91M Since 2020

The US Department of Justice has arrested and charged a Russian national, Ruslan Magomedovich Astamirov, for his role as an affiliate for the LockBit ransomware.

Specifically, Astamirov is accused of directly executing at least five attacks between August 2020 and last March, against victim computer systems in the United States and abroad.

"Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended," US Attorney Philip R. Sellinger, District of New Jersey, said in a DoJ statement. "The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity."

Astamirov is charged with conspiring to commit wire fraud and conspiring to intentionally damage protected computers and to transmit ransom demands. If convicted, he faces a maximum penalty of 25 years in prison, along with a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. The latter number may be larger; CISA and other global cybersecurity authorities this week warned that affiliates using LockBit ransomware variants have collectively extorted around $91 million across 1,700 cyberattacks against US organizations since 2020.

Multiple criminal affiliates use LockBit ransomware, which functions as a ransomware-as-a-service (RaaS) model, so the different attacks vary in how they operate and in their tactics, techniques, and procedures (TTPs), making it more difficult for organizations to protect themselves. Even so, they're finding it increasingly difficult to evade law enforcement scrutiny. 

The latest DoJ announcement follows LockBit-related charges in two other cases from the District of New Jersey. In November, the department announced LockBit-related criminal charges against Mikhail Vasiliev, who is in custody in Canada awaiting extradition to the United States. In May, the department announced the indictment of Mikhail Pavlovich Matveev, for his alleged participation in separate conspiracies to deploy LockBit, Babuk, and Hive ransomware — he remains at large.

More Recent LockBit Ransomware Activity

Meanwhile, LockBit attacks continue. The most recent LockBit ransomware activity was observed this year in New Zealand in February, Australia in April, and the United States on May 25.

CISA and fellow authors in the advisory recommended that organizations apply mitigations such as sandboxing browsers, installing Web application firewalls, requiring phishing-resistant multifactor authentication (MFA), and installing up-to-date antivirus software, to prevent against ransomware attacks.