Two men have confessed in the United States to their involvement in the notorious LockBit ransomware group, facing potential prison sentences of up to 25 and 45 years. LockBit operates under a Ransomware-as-a-Service (RaaS) model, where the developers provide ransomware tools to affiliates who then carry out the attacks, with profits shared between them.
Ruslan Magomedovich Astamirov, a 21-year-old Russian national from the Chechen Republic, and Mikhail Vasiliev, a 34-year-old dual Canadian and Russian national from Ontario, admitted to deploying the LockBit ransomware. They targeted vulnerable computer systems, encrypted the data, and demanded ransom payments in exchange for decryption keys. When victims refused to pay, the stolen data was published online.
Astamirov admitted to carrying out at least 12 ransomware attacks, earning approximately $1.9 million. As part of his plea deal, he will forfeit $350,000 in cryptocurrency that was seized by authorities. Vasiliev, also linked to 12 attacks, caused around $500,000 in damages and was arrested in Canada before being extradited to the United States.
The LockBit ransomware variant, which first appeared in January 2020, became one of the most destructive ransomware groups in the world. The group attacked over 2,500 victims across 120 countries, extracting around $500 million in ransom payments and causing billions of dollars in broader losses.
Astamirov and Vasiliev’s guilty pleas come after significant international law enforcement efforts to disrupt LockBit’s operations. In February, the UK’s National Crime Agency, in cooperation with the US Department of Justice and the FBI, seized LockBit’s public-facing websites and servers, crippling their ability to continue attacks.
“Astamirov and Vasiliev thought they could operate from the shadows, wreaking havoc and pocketing massive ransom payments without consequence. They were wrong,” stated U.S. Attorney Philip R. Sellinger. Deputy Attorney General Lisa Monaco emphasized the Department of Justice’s commitment to disrupting ransomware threats and holding cybercriminals accountable.
LockBit affiliates identify vulnerable systems, deploy ransomware, and demand payments from victims. If the ransom is not paid, they leave the data encrypted and publish stolen data. This model allows even less technically skilled criminals to participate in ransomware attacks, as they rely on the sophisticated malware developed by others in the group.
Vasiliev, using aliases such as “Ghostrider” and “Digitalocean90,” attacked businesses and educational institutions in several countries, causing significant disruptions and financial losses. Both men are scheduled for sentencing in January 2025.
The Department of Justice also charged Dmitry Yuryevich Khoroshev, the alleged developer and administrator of LockBit, who reportedly made at least $100 million from the ransomware. Khoroshev faces 26 criminal counts, including extortion and wire fraud.
LockBit victims are encouraged to contact the FBI and submit information via the Internet Crime Complaint Center (IC3) to receive assistance with decryption keys obtained through law enforcement efforts. Victims can also visit the Justice Department’s website for updates and information regarding their rights, including the right to submit victim impact statements and request restitution.
