The Department of Justice announced that it has arrested Russian national Ruslan Magomedovich Astamirov, claiming he is a part of the LockBit ransomware gang.
A criminal complaint obtained by SC Media and unsealed in a New Jersey District Court this week alleges that between August 2020 and March 2023, Astamirov helped carry out five separate ransomware attacks on victims in the United States and around the world, four of which were done on behalf of LockBit.
Astamirov reportedly used numerous email accounts and other infrastructure to launch attacks, including one from a Russian email provider, two more from a New Zealand cloud services account and another from an unnamed overseas account. Some were used to upload exfiltrated victim data.
FBI officials subpoenaed records from Meta, Amazon and Microsoft that tied ownership of the accounts to Astamirov. They also used cookie data to link the accounts and Astamirov together.
Those emails were traced to ransomware attacks against businesses based in West Palm Beach, Florida, Virginia, Tokyo, Japan, and Virginia. The complaint does not identify the compromised companies. For at least one of those attacks, 80% of a $700,000 ransom payment sent by the victim was sent to a Bitcoin address owned by Astamirov just hours later.
Federal agents caught up with Astamirov in Arizona and questioned him on May 13. According to the complaint, he voluntarily consented to being interviewed, and denied any knowledge of one of the connected email addresses, but FBI officials seized his iPhone, iPad, MacBook Pro and a USB drive that same day.
Astamirov reportedly recanted on his prior claim under further questioning, and acknowledged that the seized devices contained evidence he had access to those accounts, something forensic analysis later confirmed. He also admitted that "he himself acquired, used, and sold stolen access credentials for various online services" according to sworn testimony from FBI Special Agent Kenneth Manning.
Astamirov is being charged with two counts of conspiracy to commit fraud and wire fraud related to a computer. If convicted, he faces up to 20 years in prison for the first charge and 5 years for the second, as well as a maximum fine of $250,000.
“This LockBit-related arrest, the second in six months, underscores the Justice Department’s unwavering commitment to hold ransomware actors accountable,” said Deputy Attorney General Lisa O. Monaco in a statement. “In securing the arrest of a second Russian national affiliated with the LockBit ransomware, the Department has once again demonstrated the long arm of the law. We will continue to use every tool at our disposal to disrupt cybercrime, and while cybercriminals may continue to run, they ultimately cannot hide.”
LockBit is – by far – the most prolific ransomware group in the world today. A joint advisory released by the Cybersecurity and Infrastructure Security Agency, the FBI and other parties claimed that the group was responsible for more than 1,700 attacks and $91 million from victims in the U.S. and other countries over the past three years.