FBI agents have arrested a Russian man suspected of being part of the Lockbit ransomware gang. An unsealed complaint alleges the 20-year-old was an Apple fanboy, an online gambler, and scored 80 percent of at least one ransom payment given to the criminals.
Ruslan Magomedovich Astamirov, 20, of the Chechen Republic, was to appear in court yesterday, shortly after the arrest.
According to the complaint [PDF], after Astamirov submitted to a voluntary interview in Arizona, FBI agents seized multiple devices from him including an Apple iPhone, an iPad, a MacBook Pro, and a USB storage device.
The feds allege that, through the devices, they managed to connect the suspect to an email address they say was used to register him on Amazon, Facebook, and Instagram as well as with an online betting program and a cryptocurrency exchange. They also detail alleged evidence that he owned, controlled, and used a variety of email addresses and IP addresses allowing him and his alleged co-conspirators to deploy LockBit and communicate with their victims. One specific IP address they allege was under his control was used in attacks on four victims, with feds claiming they’d found administrator credentials for the address in the seized iPhone.
They also alleged that they’d been able to trace a portion of a victim’s ransom payment to a virtual currency address in Astamirov’s control.
The complaint says that in the case of a fifth victim’s ransom payment, Astamirov allegedly received the “80 percent affiliate portion of the Victim-5 Ransom Payment into a Bitcoin address under his ownership and control hours after Victim-5 made that payment.”
While they didn’t say who Victim-5 was, the FBI did reveal that the attack took place as recently as April this year.
Special agent Keith Manning testified in the complaint that he believed “based in part on the fact that Astamirov received virtually all of the 80 percent affiliate portion of the Victim-5 Ransom Payment, that Astamirov was involved in the execution of that LockBit attack.” The complaint also detailed parts of a transcript of the negotiations.
“The FBI is committed to pursuing ransomware actors like Astamirov, who have exploited vulnerable cyber ecosystems and harmed victims,” said FBI deputy director Paul Abbate. “We, in collaboration with our federal and international partners, are fully committed to the permanent dismantlement of these types of ransomware campaigns that intentionally target people and our private sector partners. We will continue to leverage every resource to prevent this type of malicious, criminal activity.”
That a suspect’s cut would be 80 percent of the total echoes a Group-IB report, albeit detailing the activities of Qilin affiliates, saying that those who pay to use its ransomware for their own attacks can take home 80 percent of the ransom paid. According to the research, if the ransom paid is under $3 million, you get 80 percent, and for ransoms over $3 mill, the affiliates’ cut is a cool 85 percent. Not bad for someone who doesn’t have to worry about developing the software or maintaining the infrastructure (although one would hope the mental or moral load of defrauding fellow humans has got to be taxing).
Astamirov was charged with conspiring to commit wire fraud and conspiring to intentionally damage protected computers and to transmit ransom demands. If convicted, he faces a maximum of 20 years on the first charge and five years max on the second. Both charges are also punishable by a maximum fine of either $250,000 or “twice the gain or loss from the offense, whichever is greatest.”
The arrest comes months after LockBit-related charges against suspects in two other cases in the New Jersey district. Canadian and Russian national Mikhail Vasiliev was arrested on November 9 last year in Canada and is awaiting extradition to the United States to face charges he conspired with others to intentionally damage protected computers and to transmit ransom demands in connection with this.
In indictments unsealed in May this year, the feds charged Russian national Mikhail Matveev, whom they accuse of trying to shake down Washington cops after deploying Babuk ransomware against the Metropolitan Police Department. The feds allege he then threatened to disclose sensitive information to the public unless the cops paid up, according to the indictment. They also charged him as an alleged co-conspirator in a plot to infect a New Jersey law enforcement agency with LockBit. They have to catch him first, though. There’s a $10 million reward for anyone who can help the FBI extradite Matveev to the US so he can face the music.
As we’ve previously reported, the feds are currently on a tear after managing to clear out the Hive’s ransomware network after seven months of stalking the criminals on their own network and using their entry creds to find decryption keys before handing them out to over 300 victims. ®