Fraud Management & Cybercrime , Ransomware

Russian National Charged With Carrying Out 4 LockBit Attacks

20-Year-Old Faces 20 Years in Prison, $250,000 Fine for Global Ransomware Attacks
Russian National Charged With Carrying Out 4 LockBit Attacks

Federal officials charged a Russian national with carrying out at least four LockBit ransomware attacks against businesses in the United States, Asia, Europe and Africa.

See Also: 2024 Global Threat Report- Infographic

The Justice Department said Ruslan Magomedovich Astamirov, 20, of Chechnya, collaborated with other members of the LockBit ransomware-as-a-service group between August 2020 and March 2023 to commit wire fraud, intentionally damage protected computers and make ransom demands. Astamirov will make his initial appearance in the U.S. District Court for the District of New Jersey today (see: Alleged Babuk Ransomware Hacker 'Wazawaka' Indicted in US).

"The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity," said Philip Sellinger, U.S. attorney for the District of New Jersey.

What Is the Maximum Punishment Astamirov Faces?

Feds charged Astamirov with conspiring to commit wire fraud and conspiring to intentionally damage protected computers and transmit ransom demands. The wire fraud charge carries a maximum penalty of 20 years in prison, and the other charge has a maximum penalty of five years. He faces a maximum fine on each charge of either $250,000 or twice the gain or loss from the offense, whichever is greatest.

Astamirov allegedly owned, controlled and used a variety of email addresses, IP addresses and other online provider accounts to deploy LockBit ransomware and communicate with his victims. Officials also traced a portion of a victim's ransom payment to a virtual currency address in Astamirov's control, according to the U.S. Justice Department (see: Accused LockBit Ransomware Operator Arrested in Canada).

"In securing the arrest of a second Russian national affiliated with the LockBit ransomware, the Department has once again demonstrated the long arm of the law," Deputy Attorney General Lisa Monaco said in a statement. "We will continue to use every tool at our disposal to disrupt cybercrime, and while cybercriminals may continue to run, they ultimately cannot hide."

LockBit actors executed more than 1,800 attacks against victims around the world since the variant first appeared around January 2020, the criminal complaint against Astamirov alleges. During these attacks, federal prosecutors said LockBit actors issued at least hundreds of millions of dollars in ransom demands and received approximately $90 million dollars of actual ransom payments made in the form of bitcoin.

How Astamirov Allegedly Carried Out the LockBit Attacks

Astamirov reportedly carried out his first LockBit attack in mid-August 2020 against a West Palm Beach, Florida, business, where an IP address under his control allegedly accessed the victim's computer system without authorization. A month later, prosecutors alleged, Astamirov posted data stolen and exfiltrated from a business in Tokyo, Japan, to the LockBit data leak site after the victim refused to pay a ransom.

The following month, Astamirov allegedly exfiltrated approximately 24,000 documents from a Virginia-based business before the victim terminated the intrusion. The business successfully detected and disrupted the intrusion before Astamirov could deploy LockBit or another type of malware payload, according to federal prosecutors.

Then, in November 2021, an IP address controlled by Astamirov was used to carry out a LockBit attack against a business based in France. And in March 2023, Astamirov used a phishing email to compromise a Kenya-based business and carry out a LockBit attack. The business began ransom negotiations with Astamirov in late March 2023 and ultimately paid a ransom to the LockBit perpetrators on April 13.

On May 13, 2023, FBI agents in Arizona seized Astamirov's iPhone, iPad, MacBook Pro and USB storage device and subsequently obtained search warrants for each device. Astamirov consented to a voluntary interview with FBI agents at that same time and initially told them he was unfamiliar with an email address used in the LockBit address before claiming the address belonged to his brother, not to him.

But the criminal complaint alleges the email address in question was used to create the "astamirov_222" Instagram handle in January 2018 as well as a Microsoft account belonging to "Ruslan Aktamirov" - as transliterated from Cyrillic. Emails sent to that address by online betting platforms and a cryptocurrency exchange based overseas addressed the recipient as "Ruslan Astamirov" or "Astamirov Ruslan."

In addition, the criminal complaint alleges that Astamirov received the 80% affiliate portion of the fifth victim's ransom payment into a bitcoin address under his ownership and control. The payment received by Astamirov was worth more than $700,000 at the time of transaction, prosecutors allege. Astamirov told FBI agents in May that he had acquired, used and sold stolen access credentials for online services.

When negotiating with the fifth victim - which ultimately made a ransom payment - Astamirov allegedly told the business, "[Y]ou can also read about us on the internet, we are the oldest Ransomware group, we have the biggest reputation for trust, and we always keep our word!"

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.