Threat Management

Feds arrest, charge Russian national in Arizona for LockBit attacks

Justice Department seal

The Department of Justice announced that it has arrested Russian national Ruslan Magomedovich Astamirov, claiming he is a part of the LockBit ransomware gang.

A criminal complaint obtained by SC Media and unsealed in a New Jersey District Court this week alleges that between August 2020 and March 2023, Astamirov helped carry out five separate ransomware attacks on victims in the United States and around the world, four of which were done on behalf of LockBit.

Astamirov reportedly used numerous email accounts and other infrastructure to launch attacks, including one from a Russian email provider, two more from a New Zealand cloud services account and another from an unnamed overseas account. Some were used to upload exfiltrated victim data.

FBI officials subpoenaed records from Meta, Amazon and Microsoft that tied ownership of the accounts to Astamirov. They also used cookie data to link the accounts and Astamirov together.

Those emails were traced to ransomware attacks against businesses based in West Palm Beach, Florida, Virginia, Tokyo, Japan, and Virginia. The complaint does not identify the compromised companies. For at least one of those attacks, 80% of a $700,000 ransom payment sent by the victim was sent to a Bitcoin address owned by Astamirov just hours later.

Federal agents caught up with Astamirov in Arizona and questioned him on May 13. According to the complaint, he voluntarily consented to being interviewed, and denied any knowledge of one of the connected email addresses, but FBI officials seized his iPhone, iPad, MacBook Pro and a USB drive that same day.

Astamirov reportedly recanted on his prior claim under further questioning, and acknowledged that the seized devices contained evidence he had access to those accounts, something forensic analysis later confirmed. He also admitted that "he himself acquired, used, and sold stolen access credentials for various online services" according to sworn testimony from FBI Special Agent Kenneth Manning.

Astamirov is being charged with two counts of conspiracy to commit fraud and wire fraud related to a computer. If convicted, he faces up to 20 years in prison for the first charge and 5 years for the second, as well as a maximum fine of $250,000.

“This LockBit-related arrest, the second in six months, underscores the Justice Department’s unwavering commitment to hold ransomware actors accountable,” said Deputy Attorney General Lisa O. Monaco in a statement. “In securing the arrest of a second Russian national affiliated with the LockBit ransomware, the Department has once again demonstrated the long arm of the law. We will continue to use every tool at our disposal to disrupt cybercrime, and while cybercriminals may continue to run, they ultimately cannot hide.”

LockBit is – by far – the most prolific ransomware group in the world today. A joint advisory released by the Cybersecurity and Infrastructure Security Agency, the FBI and other parties claimed that the group was responsible for more than 1,700 attacks and $91 million from victims in the U.S. and other countries over the past three years.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds