The US Justice Department on Thursday announced charges against a third Russian national allegedly involved in deploying the LockBit ransomware.
The man, Ruslan Magomedovich Astamirov, 20, of Chechen Republic, Russia, who was arrested in Arizona, allegedly owned, controlled, and used multiple IP addresses, email addresses, and other online accounts to deploy the LockBit ransomware and communicate with victims.
According to court documents, in at least one instance, authorities were able to trace a victim’s payment to a cryptocurrency address that Astamirov controlled.
According to an FBI complaint (PDF), Astamirov has been a member of the LockBit ransomware gang since at least August 2020 and directly executed at least five cyberattacks against victim systems in the US.
The complaint also reveals that, in May 2023, during a voluntary interview with the FBI, Astamirov lied about his connection with one of the email addresses used in LockBit ransomware attacks, but later admitted that he used the email account on at least three different devices.
At the time, authorities seized several devices Astamirov owned, including an iPhone, an iPad, a MacBook Pro, and a USB drive.
According to the complaint, law enforcement obtained evidence that Astamirov used the email address to set up online accounts used in LockBit attacks, and that he also controlled an IP address used in attacks against at least four victims.
Authorities also linked the IP address to a second email address that Astamirov used and discovered that Astamirov received 80% of a ransom payment in roughly $700,000-worth of cryptocurrency from a fifth victim of the LockBit ransomware, with which he and likely other co-conspirators negotiated.
Astamirov is charged with conspiracy to commit wire fraud, punishable by a maximum of 20 years in prison, and conspiracy to damage computers and transmit ransom demands, which is punishable by a maximum of five years in prison.
The LockBit ransomware has been active since at least January 2020, operating under the Ransomware-as-a-Service (RaaS) model and targeting organizations in the US, Asia, Europe, and Africa.
The FBI estimates that it has been used in roughly 1,700 attacks in the US, with victims paying approximately $91 million in ransoms.
In November 2022, Mikhail Vasiliev, a Russian and Canadian national was arrested in Canada over his role in LockBit deployments. In May 2023, the US announced a $10 million reward for information leading to the arrest of Mikhail Pavlovich Matveev, a Russian national allegedly involved in Babuk, Hive, and LockBit ransomware attacks.