Office of Public Affairs Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
pp
This is archived content from the US Department of Justice website The information here may be outdated and links may no longer function Please contact webmasterusdojgov if you have any questions about the archive site
ppTwo foreign nationals pleaded guilty today to participating in the LockBit ransomware groupat various times the most prolific ransomware variant in the worldand to deploying LockBit attacks against victims in the United States and worldwideppTodays convictions reflect the latest returns on the Departments investment in disrupting ransomware threats prioritizing victims and holding cybercriminals accountable said Deputy Attorney General Lisa Monaco In executing our alltools cyber enforcement strategy weve dealt significant blows to destructive ransomware groups like LockBit as we did earlier this year seizing control of LockBit infrastructure and distributing decryption keys to their victims Todays actions serve as a warning to ransomware actors who would attack Americans we will find you and hold you accountable ppThe defendants committed ransomware attacks against victims in the United States and around the world through LockBit which was one of the most destructive ransomware groups in the world said Principal Deputy Assistant Attorney General Nicole M Argentieri head of the Justice Departments Criminal Division But thanks to the work of the Computer Crime and Intellectual Property Section along with its domestic and international partners LockBit no longer claims that title Todays convictions represent another important milestone in the Criminal Divisions ongoing effort to disrupt and dismantle ransomware groups protect victims and bring cybercriminals to justiceppAccording to court documents Ruslan Magomedovich Astamirov АСТАМИРОВ Руслан Магомедовичь 21 a Russian national of the Chechen Republic Russia and Mikhail Vasiliev 34 a dual Canadian and Russian national of Bradford Ontario were members of LockBit In the period between January 2020 and February 2024 LockBit grew into what was at times the most active and destructive ransomware group in the world LockBit attacked more than 2500 victims in at least 120 countries including 1800 victims in the United States Those victims included individuals small businesses multinational corporations hospitals schools nonprofit organizations critical infrastructure and government and lawenforcement agencies LockBits members extorted at least approximately 500 million in ransom payments from their victims and caused billions of dollars in additional losses to victims including costs like lost revenue and for incident response and recoveryppLockBits affiliate members including Vasiliev and Astamirov first identified and unlawfully accessed vulnerable computer systems and then deployed LockBit ransomware on those systems to both steal and encrypt stored data When LockBit attacks were successful LockBits affiliate members then demanded ransoms from their victims in exchange for decrypting the victims data and then claiming to delete the affiliates copies of the data When victims did not pay the demanded ransoms LockBits affiliates often left the victims data permanently encrypted and publish the stolen data including highly sensitive information on a publicly accessible internet site under LockBits controlppAstamirov and Vasiliev thought that they could deploy LockBit from the shadows wreaking havoc and pocketing massive ransom payments from their victims without consequence said US Attorney Philip R Sellinger for the District of New Jersey They were wrong We in New Jersey along with our domestic and international law enforcement partners will do everything in our power to hold LockBits members and other cybercriminals accountable disrupt and dismantle their operations and put a spotlight on them as wanted criminalsno matter where they hideppAstamirov and Vasiliev were members of the LockBit ransomware group which has caused severe harm around the globe by attacking computer systems in over a hundred countries damaging organizations ranging from government and lawenforcement agencies to hospitals and schools said FBI Deputy Director Paul Abbate Todays plea shows our relentless and unwavering commitment to ensuring that cyber criminals are brought to justice for their actions The FBI is proud of the international collaboration that led to these individuals being held accountable under the law for the damage their actions have causedppBetween 2020 and 2023 Astamirov deployed LockBit against at least 12 victims including businesses in Virginia Japan France Scotland and Kenya Operating under the online aliases BETTERPAY offtitan and Eastfarmer he extorted 19 million from those victims As part of his plea agreement Astamirov agreed to forfeit among other assets 350000 in seized cryptocurrency that he extorted from one of his LockBit victims Astamirov was first charged and arrested in this matter in June 2023ppBetween 2021 and 2023 Vasiliev operating under the online aliases Ghostrider Free Digitalocean90 Digitalocean99 Digitalwaters99 and Newwave110 deployed LockBit against at least 12 victims including businesses in New Jersey Michigan the United Kingdom and Switzerland He also deployed LockBit against an educational facility in England and a school in Switzerland Through these attacks Vasiliev caused at least 500000 in damage and losses to his victims Vasiliev was first charged in this matter and arrested in Canada by Canadian authorities in November 2022 and extradited to the United States in JuneppAstamirov pleaded guilty to a twocount information charging him with conspiracy to commit computer fraud and abuse and conspiracy to commit wire fraud He faces a maximum penalty of 25 years in prison Vasiliev pleaded guilty to a fourcount information charging him with conspiracy to commit computer fraud and abuse intentional damage to a protected computer transmission of a threat in relation to damaging a protected computer and conspiracy to commit wire fraud He faces a maximum penalty of 45 years in prison A sentencing date has not yet been set A federal district court judge will determine any sentence after considering the US Sentencing Guidelines and other statutory factorsppThe LockBit InvestigationppTodays guilty pleas follow a recent disruption of LockBit ransomware in February by the UK National Crime Agencys NCA Cyber Division which worked in cooperation with the Justice Department FBI and other international law enforcement partners As previously announced by the Department authorities disrupted LockBit by seizing numerous publicfacing websites used by LockBit to connect to the organizations infrastructure and by seizing control of servers used by LockBit administrators thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data This disruption succeeded in greatly diminishing LockBits reputation and its ability to attack further victims as alleged by documents filed in this caseppTodays guilty pleas also follow prior announcements of charges brought in the District of New Jersey against four other LockBit members including its alleged creator developer and administrator Dmitry Yuryevich Khoroshev According to an indictment unsealed in May Khoroshev allegedly acted as the groups administrator from as early as September 2019 through 2024 In that role Khoroshev recruited new affiliate members spoke for the group publicly under the alias LockBitSupp and developed and maintained the infrastructure used by affiliates to deploy LockBit attacks Khoroshev also took 20 of each ransom paid by LockBit victims allowing him to personally derive at least 100 million over that period Khoroshev is currently the subject of a reward of up to 10 million through the US Department of States Transnational Organized Crime TOC Rewards Program with information accepted through the FBI tip website at httpstipsfbigovhomeppOther charges against LockBit members include the followingppThe US Department of States TOC Rewards Program is also offering rewards ofppInformation is accepted through the FBI tip website at wwwtipsfbigovppKhoroshev Matveev Sungatov and Kondratyev have also been designated for sanctions by the Department of the Treasurys Office of Foreign Assets Control for their roles in launching cyberattacks ppVictim AssistanceppLockBit victims are encouraged to contact the FBI and submit information at httpslockbitvictimsic3gov As announced by the Department in February law enforcement through its disruption efforts has developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant Submitting information at the IC3 site will enable law enforcement to determine whether affected systems can be successfully decryptedppLockBit victims are also encouraged to visit wwwjusticegovusaonjlockbit for case updates and information regarding their rights under US law including the right to submit victim impact statements and request restitution in the litigation against Astamirov and VasilievppThe FBI Newark Field Office under the supervision of Special Agent in Charge James E Dennehy is investigating the LockBit ransomware variant The FBI Atlanta Field Office under the supervision of Special Agent in Charge Keri Farley US Attorneys Office for the Northern District of Georgia Ontario Provincial Police in Ontario Canada and Crown Attorneys Office in Toronto Canada provided significant assistance in the Vasiliev matter The United Kingdoms NCA Frances Gendarmerie Nationale Cyberspace Command and Cyber Division of the Paris Prosecution Office Germanys Landeskriminalamt SchleswigHolstein and the Bundeskriminalamt Switzerlands Federal Office of Justice and Police Public Prosecutors Office for the Canton of Zurich and Zurich Cantonal Police Japans National Policy Agency Australian Federal Police Swedens Polismyndighetens Royal Canadian Mounted Police Politie Dienst Regionale Recherche OostBrabant of the Netherlands Finlands Poliisi Europol and Eurojust have provided significant assistance and coordination in both matters and in the LockBit investigation generallyppTrial Attorneys Jessica C Peck Debra Ireland and Jorge Gonzalez of the Criminal Divisions Computer Crime and Intellectual Property Section CCIPS and Assistant US Attorneys Andrew M Trombly David E Malagold and Vinay Limbachia for the District of New Jersey are prosecuting the charges against Astamirov and VasilievppThe Justice Departments Cybercrime Liaison Prosecutor to Eurojust Office of International Affairs and National Security Divisions National Security Cyber Section also provided significant assistanceppAdditional details on protecting networks against LockBit ransomware are available at StopRansomwaregov These include Cybersecurity and Infrastructure Security Agency Advisories AA23325A AA23165A and AA23075A ppThe Justice Department announced the disruption of an ongoing terrorist financing scheme through the seizure of approximately 201400 in cryptocurrency held in wallets and accounts intended to benefit Harakat alMuqawamappThe Justice Department announced today a coordinated action with Germany and Finland to disrupt and take down the online infrastructure used to operate Garantex a cryptocurrency exchange that allegedly facilitatedppA federal jury in Cleveland convicted a Texas man today for writing and deploying malicious code on his former employers networkppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
pp
This is archived content from the US Department of Justice website The information here may be outdated and links may no longer function Please contact webmasterusdojgov if you have any questions about the archive site
ppTwo foreign nationals pleaded guilty today to participating in the LockBit ransomware groupat various times the most prolific ransomware variant in the worldand to deploying LockBit attacks against victims in the United States and worldwideppTodays convictions reflect the latest returns on the Departments investment in disrupting ransomware threats prioritizing victims and holding cybercriminals accountable said Deputy Attorney General Lisa Monaco In executing our alltools cyber enforcement strategy weve dealt significant blows to destructive ransomware groups like LockBit as we did earlier this year seizing control of LockBit infrastructure and distributing decryption keys to their victims Todays actions serve as a warning to ransomware actors who would attack Americans we will find you and hold you accountable ppThe defendants committed ransomware attacks against victims in the United States and around the world through LockBit which was one of the most destructive ransomware groups in the world said Principal Deputy Assistant Attorney General Nicole M Argentieri head of the Justice Departments Criminal Division But thanks to the work of the Computer Crime and Intellectual Property Section along with its domestic and international partners LockBit no longer claims that title Todays convictions represent another important milestone in the Criminal Divisions ongoing effort to disrupt and dismantle ransomware groups protect victims and bring cybercriminals to justiceppAccording to court documents Ruslan Magomedovich Astamirov АСТАМИРОВ Руслан Магомедовичь 21 a Russian national of the Chechen Republic Russia and Mikhail Vasiliev 34 a dual Canadian and Russian national of Bradford Ontario were members of LockBit In the period between January 2020 and February 2024 LockBit grew into what was at times the most active and destructive ransomware group in the world LockBit attacked more than 2500 victims in at least 120 countries including 1800 victims in the United States Those victims included individuals small businesses multinational corporations hospitals schools nonprofit organizations critical infrastructure and government and lawenforcement agencies LockBits members extorted at least approximately 500 million in ransom payments from their victims and caused billions of dollars in additional losses to victims including costs like lost revenue and for incident response and recoveryppLockBits affiliate members including Vasiliev and Astamirov first identified and unlawfully accessed vulnerable computer systems and then deployed LockBit ransomware on those systems to both steal and encrypt stored data When LockBit attacks were successful LockBits affiliate members then demanded ransoms from their victims in exchange for decrypting the victims data and then claiming to delete the affiliates copies of the data When victims did not pay the demanded ransoms LockBits affiliates often left the victims data permanently encrypted and publish the stolen data including highly sensitive information on a publicly accessible internet site under LockBits controlppAstamirov and Vasiliev thought that they could deploy LockBit from the shadows wreaking havoc and pocketing massive ransom payments from their victims without consequence said US Attorney Philip R Sellinger for the District of New Jersey They were wrong We in New Jersey along with our domestic and international law enforcement partners will do everything in our power to hold LockBits members and other cybercriminals accountable disrupt and dismantle their operations and put a spotlight on them as wanted criminalsno matter where they hideppAstamirov and Vasiliev were members of the LockBit ransomware group which has caused severe harm around the globe by attacking computer systems in over a hundred countries damaging organizations ranging from government and lawenforcement agencies to hospitals and schools said FBI Deputy Director Paul Abbate Todays plea shows our relentless and unwavering commitment to ensuring that cyber criminals are brought to justice for their actions The FBI is proud of the international collaboration that led to these individuals being held accountable under the law for the damage their actions have causedppBetween 2020 and 2023 Astamirov deployed LockBit against at least 12 victims including businesses in Virginia Japan France Scotland and Kenya Operating under the online aliases BETTERPAY offtitan and Eastfarmer he extorted 19 million from those victims As part of his plea agreement Astamirov agreed to forfeit among other assets 350000 in seized cryptocurrency that he extorted from one of his LockBit victims Astamirov was first charged and arrested in this matter in June 2023ppBetween 2021 and 2023 Vasiliev operating under the online aliases Ghostrider Free Digitalocean90 Digitalocean99 Digitalwaters99 and Newwave110 deployed LockBit against at least 12 victims including businesses in New Jersey Michigan the United Kingdom and Switzerland He also deployed LockBit against an educational facility in England and a school in Switzerland Through these attacks Vasiliev caused at least 500000 in damage and losses to his victims Vasiliev was first charged in this matter and arrested in Canada by Canadian authorities in November 2022 and extradited to the United States in JuneppAstamirov pleaded guilty to a twocount information charging him with conspiracy to commit computer fraud and abuse and conspiracy to commit wire fraud He faces a maximum penalty of 25 years in prison Vasiliev pleaded guilty to a fourcount information charging him with conspiracy to commit computer fraud and abuse intentional damage to a protected computer transmission of a threat in relation to damaging a protected computer and conspiracy to commit wire fraud He faces a maximum penalty of 45 years in prison A sentencing date has not yet been set A federal district court judge will determine any sentence after considering the US Sentencing Guidelines and other statutory factorsppThe LockBit InvestigationppTodays guilty pleas follow a recent disruption of LockBit ransomware in February by the UK National Crime Agencys NCA Cyber Division which worked in cooperation with the Justice Department FBI and other international law enforcement partners As previously announced by the Department authorities disrupted LockBit by seizing numerous publicfacing websites used by LockBit to connect to the organizations infrastructure and by seizing control of servers used by LockBit administrators thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data This disruption succeeded in greatly diminishing LockBits reputation and its ability to attack further victims as alleged by documents filed in this caseppTodays guilty pleas also follow prior announcements of charges brought in the District of New Jersey against four other LockBit members including its alleged creator developer and administrator Dmitry Yuryevich Khoroshev According to an indictment unsealed in May Khoroshev allegedly acted as the groups administrator from as early as September 2019 through 2024 In that role Khoroshev recruited new affiliate members spoke for the group publicly under the alias LockBitSupp and developed and maintained the infrastructure used by affiliates to deploy LockBit attacks Khoroshev also took 20 of each ransom paid by LockBit victims allowing him to personally derive at least 100 million over that period Khoroshev is currently the subject of a reward of up to 10 million through the US Department of States Transnational Organized Crime TOC Rewards Program with information accepted through the FBI tip website at httpstipsfbigovhomeppOther charges against LockBit members include the followingppThe US Department of States TOC Rewards Program is also offering rewards ofppInformation is accepted through the FBI tip website at wwwtipsfbigovppKhoroshev Matveev Sungatov and Kondratyev have also been designated for sanctions by the Department of the Treasurys Office of Foreign Assets Control for their roles in launching cyberattacks ppVictim AssistanceppLockBit victims are encouraged to contact the FBI and submit information at httpslockbitvictimsic3gov As announced by the Department in February law enforcement through its disruption efforts has developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant Submitting information at the IC3 site will enable law enforcement to determine whether affected systems can be successfully decryptedppLockBit victims are also encouraged to visit wwwjusticegovusaonjlockbit for case updates and information regarding their rights under US law including the right to submit victim impact statements and request restitution in the litigation against Astamirov and VasilievppThe FBI Newark Field Office under the supervision of Special Agent in Charge James E Dennehy is investigating the LockBit ransomware variant The FBI Atlanta Field Office under the supervision of Special Agent in Charge Keri Farley US Attorneys Office for the Northern District of Georgia Ontario Provincial Police in Ontario Canada and Crown Attorneys Office in Toronto Canada provided significant assistance in the Vasiliev matter The United Kingdoms NCA Frances Gendarmerie Nationale Cyberspace Command and Cyber Division of the Paris Prosecution Office Germanys Landeskriminalamt SchleswigHolstein and the Bundeskriminalamt Switzerlands Federal Office of Justice and Police Public Prosecutors Office for the Canton of Zurich and Zurich Cantonal Police Japans National Policy Agency Australian Federal Police Swedens Polismyndighetens Royal Canadian Mounted Police Politie Dienst Regionale Recherche OostBrabant of the Netherlands Finlands Poliisi Europol and Eurojust have provided significant assistance and coordination in both matters and in the LockBit investigation generallyppTrial Attorneys Jessica C Peck Debra Ireland and Jorge Gonzalez of the Criminal Divisions Computer Crime and Intellectual Property Section CCIPS and Assistant US Attorneys Andrew M Trombly David E Malagold and Vinay Limbachia for the District of New Jersey are prosecuting the charges against Astamirov and VasilievppThe Justice Departments Cybercrime Liaison Prosecutor to Eurojust Office of International Affairs and National Security Divisions National Security Cyber Section also provided significant assistanceppAdditional details on protecting networks against LockBit ransomware are available at StopRansomwaregov These include Cybersecurity and Infrastructure Security Agency Advisories AA23325A AA23165A and AA23075A ppThe Justice Department announced the disruption of an ongoing terrorist financing scheme through the seizure of approximately 201400 in cryptocurrency held in wallets and accounts intended to benefit Harakat alMuqawamappThe Justice Department announced today a coordinated action with Germany and Finland to disrupt and take down the online infrastructure used to operate Garantex a cryptocurrency exchange that allegedly facilitatedppA federal jury in Cleveland convicted a Texas man today for writing and deploying malicious code on his former employers networkppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
