Two Russian nationals pleaded guilty to participating in the LockBit ransomware group responsible for multiple high-profile ransomware attacks.

The defendants, Ruslan Magomedovich Astamirov, 21, a Russian national from the Chechen Republic, and Mikhail Vasiliev, 34, a dual Canadian and Russian national from Bradford, Ontario, admitted to deploying LockBit attacks against victims in the United States and worldwide.

LockBit ransomware first emerged in January 2020 and has since grown into one of the most active and destructive ransomware groups globally. Between its inception and February 2024, LockBit targeted more than 2,500 victims across at least 120 countries, including 1,800 in the United States. The victims ranged from individuals and small businesses to multinational corporations and included critical infrastructure, government and law enforcement agencies, hospitals, schools, and nonprofit organizations. The group's activities led to at least $500 million in ransom payments and billions of dollars in broader losses, encompassing lost revenue, incident response, and recovery costs.

Astamirov and Vasiliev, as members of LockBit’s affiliate network, compromised computer systems and deployed the ransomware, stealing and encrypting stored data. They then demanded ransom payments for decryption and deletion of the stolen data. If victims did not comply, the data remained encrypted, and sensitive information was published on a publicly accessible Internet site controlled by LockBit.

Astamirov, who operated under the aliases "BETTERPAY," "offtitan," and "Eastfarmer," admitted to deploying LockBit against at least 12 victims between 2020 and 2023. His targets included businesses in Virginia, Japan, France, Scotland, and Kenya, resulting in $1.9 million in ransom payments. As part of his plea agreement, Astamirov agreed to forfeit $350,000 in seized cryptocurrency extorted from a LockBit victim. He was first charged and arrested in June 2023.

Vasiliev, known online as "Ghostrider," "Free," "Digitalocean90," "Digitalocean99," "Digitalwaters99," and "Newwave110," attacked at least 12 victims between 2021 and 2023. His targets included businesses in New Jersey, Michigan, the United Kingdom, and Switzerland, as well as an educational facility in England and a school in Switzerland. Vasiliev’s actions caused at least $500,000 in damage and losses. He was charged and arrested by Canadian authorities in November 2022 and extradited to the United States in June 2023.

Astamirov pleaded guilty to conspiracy to commit computer fraud and abuse and conspiracy to commit wire fraud, facing a maximum penalty of 25 years in prison. Vasiliev pleaded guilty to conspiracy to commit computer fraud and abuse, intentional damage to a protected computer, transmission of a threat related to damaging a protected computer, and conspiracy to commit wire fraud, facing a maximum penalty of 45 years in prison. Sentencing dates for both individuals have not yet been set.

The LockBit ransomware operation was disrupted in February 2024 as result of a global police effort codenamed ‘Operation Cronos,’ involving law enforcement authorities from 11 countries. In May, the US, UK, Australian authorities and Europol doxxed the administrator of the notorious LockBit ransomware operation, identified as Dmitry Yuryevich Khoroshev (aka 'LockBitSupp' and ‘putincrab’).