Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks

The group is one of the most prolific ransomware gangs, responsible for an estimated $91 million paid by U.S. victims.
A seal reading "Department of Justice Federal Bureau of Investigation" is displayed on the J. Edgar Hoover FBI building in Washington, DC, on August 9, 2022.
(Photo by STEFANI REYNOLDS/AFP via Getty Images)

Federal law enforcement officials arrested a Russian national in Arizona on charges related to his participation in multiple LockBit ransomware attacks against victims in the U.S., Asia, Europe and Africa, the Department of Justice said Thursday.

Ruslan Magomedovich Astamirov, 20, was taken into custody on Wednesday, a spokesperson for U.S. Attorney Philip Sellinger, from the District of New Jersey, told CyberScoop after the DOJ unsealed a criminal complaint in the case.

LockBit, which emerged in January 2020, was the most active ransomware variant in 2022 in terms of victims claimed on the group’s data leak site, U.S. cybersecurity officials said in a June 14 advisory. Known LockBit attacks accounted for 16% of state, local, tribal and tribunal government ransomware attacks reported in the U.S. in 2022, as well as roughly 20% of known government ransomware attacks in Australia, Canada and New Zealand, the advisory said. Since January 2020 the group is associated with approximately $91 million in ransoms paid in the U.S., the advisory said.

Astamirov’s case will be tried out of New Jersey, which is handling the cases of two other men accused of participating in LockBit ransomware attacks: Mikhail Vasiliev, a dual Russian and Canadian national, was arrested in November, and Mikhail Pavlovich Matveev, also known as Wazawaka, was indicted in May for alleged roles in LockBit attacks along with other cyber activities. Matveev, a Russian national, remains at large.


“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” U.S. Attorney Sellinger said in a statement. “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

The announcement comes a day after the joint advisory from top cybersecurity officials in the U.S. and their counterparts in multiple countries detailing the threat from LockBit, which the advisory said was the most deployed ransomware variant in 2022. The variant is associated more than 1,400 attacks in the U.S. and around the world, according to the Department of Justice.

According to the complaint filed by prosecutors, Astamirov owned and controlled email addresses, an IP address and a cloud services account associated with the deployment of LockBit attacks. Astamirov “executed” attacks on victims in Florida, Tokyo, Virginia, France and Kenya dating back to August 2020, according to the complaint. Astamirov received at least 80 percent of the ransom payment made in Bitcoin with one of the attacks, the complaint alleges.

FBI agents interviewed Astamirov in May and searched several devices, including his phone and a laptop computer, according to the complaint.

Latest Podcasts