22 July 2024

Two Russian LockBit ransomware affiliates plead guilty in the US


Two Russian LockBit ransomware affiliates plead guilty in the US

Two Russian nationals pleaded guilty to participating in the LockBit ransomware group responsible for multiple high-profile ransomware attacks.

The defendants, Ruslan Magomedovich Astamirov, 21, a Russian national from the Chechen Republic, and Mikhail Vasiliev, 34, a dual Canadian and Russian national from Bradford, Ontario, admitted to deploying LockBit attacks against victims in the United States and worldwide.

LockBit ransomware first emerged in January 2020 and has since grown into one of the most active and destructive ransomware groups globally. Between its inception and February 2024, LockBit targeted more than 2,500 victims across at least 120 countries, including 1,800 in the United States. The victims ranged from individuals and small businesses to multinational corporations and included critical infrastructure, government and law enforcement agencies, hospitals, schools, and nonprofit organizations. The group's activities led to at least $500 million in ransom payments and billions of dollars in broader losses, encompassing lost revenue, incident response, and recovery costs.

Astamirov and Vasiliev, as members of LockBit’s affiliate network, compromised computer systems and deployed the ransomware, stealing and encrypting stored data. They then demanded ransom payments for decryption and deletion of the stolen data. If victims did not comply, the data remained encrypted, and sensitive information was published on a publicly accessible Internet site controlled by LockBit.

Astamirov, who operated under the aliases "BETTERPAY," "offtitan," and "Eastfarmer," admitted to deploying LockBit against at least 12 victims between 2020 and 2023. His targets included businesses in Virginia, Japan, France, Scotland, and Kenya, resulting in $1.9 million in ransom payments. As part of his plea agreement, Astamirov agreed to forfeit $350,000 in seized cryptocurrency extorted from a LockBit victim. He was first charged and arrested in June 2023.

Vasiliev, known online as "Ghostrider," "Free," "Digitalocean90," "Digitalocean99," "Digitalwaters99," and "Newwave110," attacked at least 12 victims between 2021 and 2023. His targets included businesses in New Jersey, Michigan, the United Kingdom, and Switzerland, as well as an educational facility in England and a school in Switzerland. Vasiliev’s actions caused at least $500,000 in damage and losses. He was charged and arrested by Canadian authorities in November 2022 and extradited to the United States in June 2023.

Astamirov pleaded guilty to conspiracy to commit computer fraud and abuse and conspiracy to commit wire fraud, facing a maximum penalty of 25 years in prison. Vasiliev pleaded guilty to conspiracy to commit computer fraud and abuse, intentional damage to a protected computer, transmission of a threat related to damaging a protected computer, and conspiracy to commit wire fraud, facing a maximum penalty of 45 years in prison. Sentencing dates for both individuals have not yet been set.

The LockBit ransomware operation was disrupted in February 2024 as result of a global police effort codenamed ‘Operation Cronos,’ involving law enforcement authorities from 11 countries. In May, the US, UK, Australian authorities and Europol doxxed the administrator of the notorious LockBit ransomware operation, identified as Dmitry Yuryevich Khoroshev (aka 'LockBitSupp' and ‘putincrab’).


Back to the list

Latest Posts

Cisco says decade-old bug in ASA appliances exploited in the wild

Cisco says decade-old bug in ASA appliances exploited in the wild

The activity involving CVE-2014-2120 has been linked to the Mozi botnet.
3 December 2024
North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

The objective of the attacks is credential theft, enabling Kimsuky to hijack victim accountsю
3 December 2024
Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

It is believed that the North Korean state-backed threat actor Lazarus Group was behind the hack.
3 December 2024