Alleged Russian ransomware raiders arrested and charged as UK and US level LockBit gang

Britain and the United States say a joint operation with law enforcement agencies worldwide has resulted in the successful disruption of the notorious LockBit ransomware group, which has been active since January 2020.

LockBit is believed to have been deployed against more than 2000 victims worldwide, with over US$120 million extorted. The gang is believed to be the largest one currently, with 25% "market share".

The UK's National Crime Agency (NCA) said it was able to infiltrate the ransomware group's network and take control over its administrative environment.

This enabled LockBit affiliates to build and carry out attacks that saw victims' data stolen and encrypted, with millions of dollars in ransom demanded to decrypt it and to prevent the information from being published.

The joint operation, code named Operation Cronos, was able to obtain the source code for the LockBit ransomware, along with over 1000 decryption keys that can be used to help victims unscramble their data.

Working with the US Federal Bureau of Investigation (FB), NCA as developed decryption capabilities.

The FBI has set up a contact site for victims worldwide, to determine if their ransomware affected systems can be successfully decrypted.

NCA noted that despite having paid ransom, some of their stolen data remained on the seized LockBit systems despite the criminals' promise to delete it after the extortion money had been received.

LockBit operates as ransomware-as-a-service, and the law enforcement agencies said 28 servers in three countries belonging to affiliates had been taken down.

Alleged criminals arrested and charged

As part of the police operation, Europol coordinated action saw two LockBit actors arrested in Poland and Ukraine with over 200 crypto currency accounts linked to the ransomware group frozen.

The US Department of Justice (DoJ) said five LockBit members, all of Russian extraction, have been charged for their part in the ransomware operation.

Mikhail Vasiliev was charged by the US in November 2022; he is in custody in Canada, awaiting extradition to the US. 

Ruslan Magomedovich Astamirov was charged in June 2023 for attacking victims in Florida, Japan and Kenya, and is in US custody awaiting trial.

Mikhail Pavlovich Matveev has also been charged by the US, and now has a bounty of up to US$10 million for information about him.

Two other ransomware criminals, Artur Sungatov and Ivan "Bassterlord" Kondratyev have now also been charged. The DoJ said the two were charged with "deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in semiconductor and other industries".

LockBit was used against the world's largest semiconductor maker TSMC in July last year, with the criminals posting data belonging to the Taiwanese company on their website.

The criminals are alleged to have used other ransomware than Lockbit as well, including REvil.

Sungatov and Kondratyev have also been designated by the US for their roles in launching cyber attacks.

Like other major ransomware such as Cl0p, Hive and Trickbot, Lockbit operated on an as-a-service model under which developers designed the malware tools and recruited affiliates for the attacks.

Extortion payments for ransomware are made in cryptocurrency.

Last year, cryptocurrency transaction tracing firm Chainalysis published research that pointed to payments spiking at US$1.1 billion last year, after declining to US$567 million in 2022.