Connect with us

Hi, what are you looking for?



Russian National Arrested, Charged in US Over Role in LockBit Ransomware Attacks

The US charges Russian national Ruslan Magomedovich Astamirov over his alleged role in LockBit ransomware attacks.

The US Justice Department on Thursday announced charges against a third Russian national allegedly involved in deploying the LockBit ransomware.

The man, Ruslan Magomedovich Astamirov, 20, of Chechen Republic, Russia, who was arrested in Arizona, allegedly owned, controlled, and used multiple IP addresses, email addresses, and other online accounts to deploy the LockBit ransomware and communicate with victims.

According to court documents, in at least one instance, authorities were able to trace a victim’s payment to a cryptocurrency address that Astamirov controlled.

According to an FBI complaint (PDF), Astamirov has been a member of the LockBit ransomware gang since at least August 2020 and directly executed at least five cyberattacks against victim systems in the US.

The complaint also reveals that, in May 2023, during a voluntary interview with the FBI, Astamirov lied about his connection with one of the email addresses used in LockBit ransomware attacks, but later admitted that he used the email account on at least three different devices.

At the time, authorities seized several devices Astamirov owned, including an iPhone, an iPad, a MacBook Pro, and a USB drive.

According to the complaint, law enforcement obtained evidence that Astamirov used the email address to set up online accounts used in LockBit attacks, and that he also controlled an IP address used in attacks against at least four victims.

Advertisement. Scroll to continue reading.

Authorities also linked the IP address to a second email address that Astamirov used and discovered that Astamirov received 80% of a ransom payment in roughly $700,000-worth of cryptocurrency from a fifth victim of the LockBit ransomware, with which he and likely other co-conspirators negotiated.

Astamirov is charged with conspiracy to commit wire fraud, punishable by a maximum of 20 years in prison, and conspiracy to damage computers and transmit ransom demands, which is punishable by a maximum of five years in prison.

The LockBit ransomware has been active since at least January 2020, operating under the Ransomware-as-a-Service (RaaS) model and targeting organizations in the US, Asia, Europe, and Africa.

The FBI estimates that it has been used in roughly 1,700 attacks in the US, with victims paying approximately $91 million in ransoms.

In November 2022, Mikhail Vasiliev, a Russian and Canadian national was arrested in Canada over his role in LockBit deployments. In May 2023, the US announced a $10 million reward for information leading to the arrest of Mikhail Pavlovich Matveev, a Russian national allegedly involved in Babuk, Hive, and LockBit ransomware attacks.

Related: US Government Warns Organizations of LockBit 3.0 Ransomware Attacks

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

Related: LockBit Ransomware Site Hit by DDoS Attack as Hackers Start Leaking Entrust Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.