Two Russian nationals pleaded guilty to their roles in ransomware attacks in the U.S., Asia, Europe and Africa for a notorious hacking gang known as LockBit.
Ruslan Magomedovich Astamirov and Mikhail Vasiliev admitted they helped to deploy the ransomware variant, which first appeared in 2020. It soon became one of the most destructive in the world, leading to attacks against more than 2,500 victims and ransom payments of at least $500 million, according to the Justice Department.
The men pleaded guilty Thursday in federal court in Newark, New Jersey, where six people have been charged over LockBit attacks, including Dimitry Yuryevich Khoroshev, described by the US as the creator, developer and administrator of the group. US authorities are offering a reward of up to $10 million for his arrest.
Astamirov, 21, of the Chechen Republic, and Vasiliev, 34, of Bradford, Ontario, pleaded guilty to charges including conspiracy to commit computer fraud and abuse.
LockBit is the name of a ransomware variant, a type of malicious code that locks up computers before hackers demand a ransom to unlock them. Hacking gangs are often known by the name of their ransomware variant. LockBit successfully deployed a ransomware-as-a-service model, in which “affiliates” lease the malicious code and do the actual hacking, in exchange for paying the the gang’s leaders a cut of their illegal proceeds. Astamirov and Vasiliev were affiliates, according to the Justice Department.
In recent years, the US and its allies have aggressively tried to curb ransomware attacks by sanctioning hackers or entities associated with them or disrupting the online infrastructure of cybercriminal gangs. But many hackers are located in places such as Russia, which provide them safe haven, making it difficult for Western law enforcement to arrest them.
In February, US and UK authorities announced they disrupted LockBit operations, arresting alleged members, seizing servers and cryptocurrency accounts, and recovering decryption keys to unlock hijacked data.
“We’ve dealt significant blows to destructive ransomware groups like LockBit, as we did earlier this year, seizing control of LockBit infrastructure and distributing decryption keys to their victims,” said Deputy Attorney General Lisa Monaco, in a statement.
Vasiliev deployed LockBit against at least 12 victims, including an educational facility in the UK and a school in Switzerland, the US said. He was arrested by Canadian authorities in November 2022 and extradited to the US in June.
Astamirov was arrested by the FBI last year. In May 2023, he agreed to an interview with FBI agents in Arizona, where they seized his electronic devices. He initially denied having anything to do with an email account through a Russian-based provider, but agents later found records related to it on his devices, according to the arrest complaint. Records showed that Astamirov used the email to “create multiple online accounts under names either fully or nearly identical to his own name,” the complaint said.
After August 2020, Astamirov executed cyberattacks on at least five victims, according to the FBI complaint. They included: businesses in France and West Palm Beach, Florida; a Tokyo firm, which refused to pay a ransom, leading the group to post stolen data on a “leak site” of extortion victims; a Virginia company that stopped an attack after 24,000 documents were stolen; and a Kenyan business that agreed to pay ransom after some of its stolen data was posted to the LockBit website.
Both are scheduled to be sentenced on Jan. 8, 2025.