Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group

Two foreign nationals pleaded guilty today to participating in the LockBit ransomware group—at various times the most prolific ransomware variant in the world—and to deploying LockBit attacks against victims in the United States and worldwide.

“Today’s convictions reflect the latest returns on the Department’s investment in disrupting ransomware threats, prioritizing victims, and holding cybercriminals accountable,” said Deputy Attorney General Lisa Monaco. “In executing our all-tools cyber enforcement strategy, we’ve dealt significant blows to destructive ransomware groups like LockBit, as we did earlier this year, seizing control of LockBit infrastructure and distributing decryption keys to their victims. Today’s actions serve as a warning to ransomware actors who would attack Americans: we will find you and hold you accountable.”  

“The defendants committed ransomware attacks against victims in the United States and around the world through LockBit, which was one of the most destructive ransomware groups in the world,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division. “But thanks to the work of the Computer Crime and Intellectual Property Section, along with its domestic and international partners, LockBit no longer claims that title. Today’s convictions represent another important milestone in the Criminal Division’s ongoing effort to disrupt and dismantle ransomware groups, protect victims, and bring cybercriminals to justice.”

According to court documents, Ruslan Magomedovich Astamirov (АСТАМИРОВ, Руслан Магомедовичь), 21, a Russian national of the Chechen Republic, Russia, and Mikhail Vasiliev, 34, a dual Canadian and Russian national of Bradford, Ontario, were members of LockBit. In the period between January 2020 and February 2024, LockBit grew into what was, at times, the most active and destructive ransomware group in the world. LockBit attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States. Those victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. LockBit’s members extorted at least approximately $500 million in ransom payments from their victims and caused billions of dollars in additional losses to victims, including costs like lost revenue and for incident response and recovery.

LockBit’s “affiliate” members, including Vasiliev and Astamirov, first identified and unlawfully accessed vulnerable computer systems, and then deployed LockBit ransomware on those systems to both steal and encrypt stored data. When LockBit attacks were successful, LockBit’s affiliate members then demanded ransoms from their victims in exchange for decrypting the victims’ data and then claiming to delete the affiliates’ copies of the data. When victims did not pay the demanded ransoms, LockBit’s affiliates often left the victim’s data permanently encrypted and publish the stolen data, including highly sensitive information, on a publicly accessible internet site under LockBit’s control.

“Astamirov and Vasiliev thought that they could deploy LockBit from the shadows, wreaking havoc and pocketing massive ransom payments from their victims, without consequence,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. “They were wrong. We, in New Jersey, along with our domestic and international law enforcement partners will do everything in our power to hold LockBit’s members and other cybercriminals accountable, disrupt and dismantle their operations, and put a spotlight on them as wanted criminals—no matter where they hide.”

“Astamirov and Vasiliev were members of the LockBit ransomware group, which has caused severe harm around the globe by attacking computer systems in over a hundred countries damaging organizations ranging from government and law-enforcement agencies to hospitals and schools,” said FBI Deputy Director Paul Abbate. “Today’s plea shows our relentless and unwavering commitment to ensuring that cyber criminals are brought to justice for their actions. The FBI is proud of the international collaboration that led to these individuals being held accountable under the law for the damage their actions have caused.”

Between 2020 and 2023, Astamirov deployed LockBit against at least 12 victims, including businesses in Virginia, Japan, France, Scotland, and Kenya. Operating under the online aliases “BETTERPAY,” “offtitan,” and “Eastfarmer,” he extorted $1.9 million from those victims. As part of his plea agreement, Astamirov agreed to forfeit, among other assets, $350,000 in seized cryptocurrency that he extorted from one of his LockBit victims. Astamirov was first charged and arrested in this matter in June 2023.

Between 2021 and 2023, Vasiliev, operating under the online aliases “Ghostrider,” “Free,” “Digitalocean90,” “Digitalocean99,” “Digitalwaters99,” and “Newwave110,” deployed LockBit against at least 12 victims, including businesses in New Jersey, Michigan, the United Kingdom, and Switzerland. He also deployed LockBit against an educational facility in England and a school in Switzerland. Through these attacks, Vasiliev caused at least $500,000 in damage and losses to his victims. Vasiliev was first charged in this matter and arrested in Canada by Canadian authorities in November 2022, and extradited to the United States in June.

Astamirov pleaded guilty to a two-count information charging him with conspiracy to commit computer fraud and abuse and conspiracy to commit wire fraud. He faces a maximum penalty of 25 years in prison. Vasiliev pleaded guilty to a four-count information charging him with conspiracy to commit computer fraud and abuse, intentional damage to a protected computer, transmission of a threat in relation to damaging a protected computer, and conspiracy to commit wire fraud. He faces a maximum penalty of 45 years in prison. A sentencing date has not yet been set. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The LockBit Investigation

Today’s guilty pleas follow a recent disruption of LockBit ransomware in February by the U.K. National Crime Agency’s (NCA) Cyber Division, which worked in cooperation with the Justice Department, FBI, and other international law enforcement partners. As previously announced by the Department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data. This disruption succeeded in greatly diminishing LockBit’s reputation and its ability to attack further victims, as alleged by documents filed in this case.

Today’s guilty pleas also follow prior announcements of charges brought in the District of New Jersey against four other LockBit members, including its alleged creator, developer, and administrator, Dmitry Yuryevich Khoroshev. According to an indictment unsealed in May, Khoroshev allegedly acted as the group’s administrator from as early as September 2019 through 2024. In that role,  Khoroshev recruited new affiliate members, spoke for the group publicly under the alias “LockBitSupp,” and developed and maintained the infrastructure used by affiliates to deploy LockBit attacks. Khoroshev also took 20% of each ransom paid by LockBit victims, allowing him to personally derive at least $100 million over that period. Khoroshev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program, with information accepted through the FBI tip website at https://tips.fbi.gov/home.

Other charges against LockBit members include the following:

• In February 2024, in parallel with the disruption operation, an indictment was unsealed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries.
• In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Mikhail Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C., Metropolitan Police Department. Matveev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s TOC Rewards Program, with information accepted through the FBI tip website at tips.fbi.gov/.

The U.S. Department of State’s TOC Rewards Program is also offering rewards of:

• Up to $10 million for information leading to the identification and location of any individuals who hold a key leadership position in LockBit; and
• Up to $5 million for information leading to the arrest and/or conviction in any country of any individual participating or attempting to participate in LockBit.

Information is accepted through the FBI tip website at www.tips.fbi.gov/.

Khoroshev, Matveev, Sungatov, and Kondratyev have also been designated for sanctions by the Department of the Treasury’s Office of Foreign Assets Control for their roles in launching cyberattacks.  

Victim Assistance

LockBit victims are encouraged to contact the FBI and submit information at https://lockbitvictims.ic3.gov/. As announced by the Department in February, law enforcement, through its disruption efforts, has developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant. Submitting information at the ICE site will enable law enforcement to determine whether affected systems can be successfully decrypted.

LockBit victims are also encouraged to visit www.justice.gov/usao-nj/lockbit for case updates and information regarding their rights under U.S. law, including the right to submit victim impact statements and request restitution, in the litigation against Astamirov and Vasiliev.

The FBI Newark Field Office, under the supervision of Special Agent in Charge James E. Dennehy, is investigating the LockBit ransomware variant. The FBI Atlanta Field Office, under the supervision of Special Agent in Charge Keri Farley; U.S. Attorney’s Office for the Northern District of Georgia; Ontario Provincial Police in Ontario, Canada; and Crown Attorney’s Office in Toronto, Canada, provided significant assistance in the Vasiliev matter. The United Kingdom’s NCA; France’s  Gendarmerie Nationale Cyberspace Command and Cyber Division of the Paris Prosecution Office; Germany’s Landeskriminalamt Schleswig-Holstein and the Bundeskriminalamt; Switzerland’s Federal Office of Justice and Police, Public Prosecutor’s Office for the Canton of Zurich, and Zurich Cantonal Police; Japan’s National Policy Agency; Australian Federal Police; Sweden’s Polismyndighetens; Royal Canadian Mounted Police; Politie Dienst Regionale Recherche Oost-Brabant of the Netherlands; Finland’s Poliisi; Europol; and Eurojust have provided significant assistance and coordination in both matters and in the LockBit investigation generally.

Trial Attorneys Jessica C. Peck, Debra Ireland, and Jorge Gonzalez of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorneys Andrew M. Trombly, David E. Malagold, and Vinay Limbachia for the District of New Jersey are prosecuting the charges against Astamirov and Vasiliev.

The Justice Department’s Cybercrime Liaison Prosecutor to Eurojust, Office of International Affairs, and National Security Division’s National Security Cyber Section also provided significant assistance.

Additional details on protecting networks against LockBit ransomware are available at StopRansomware.gov. These include Cybersecurity and Infrastructure Security Agency Advisories AA23-325A, AA23-165A, and AA23-075A.