Latest arrest places LockBit firmly in the crosshairs of international cyber police

The Department of Justice (DoJ) has charged a third member allegedly associated with the LockBit ransomware operation, showing that law enforcement is continuing its firm stand against the group.

Russian national Ruslan Magomedovich Astamirov has received charges for conspiracy to commit wire fraud, damage computers, and damage computers for ransom while a member of the LockBit campaign.

He faces 20 years in prison for the first charge and five for the second, with both also carrying a potential fine of $250,000 or twice what was lost or gained from the offense.

Astamirov is the latest in a string of defendants charged with extorting victims through the use of LockBit ransomware, as international law enforcement ramps up its efforts to put an end to the RaaS operation.

In May, the DoJ offered a $10 million reward for information that could lead to the arrest of Mikhail Pavlovich Matveev, another hacker charged with criminal activity using LockBit, Hive, and Babuk ransomware variants.

The DoJ alleged that Astamirov had operated a number of email and IP addresses used to spread LockBit ransomware, and that a victim’s ransom payment was traced to a digital currency address held by the defendant.

“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” said US attorney Philip R. Sellinger for the District of New Jersey. 

“The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

LockBit continues to plague enterprises across the world, with recent attacks including its £33 million ($42 million) Royal Mail ransom attempt.

"When it comes to publicly reported ransomware attacks, our data shows that LockBit leads with 17.6% of all attacks, followed by BlackCat at 16.9%,” said Dr Darren Williams, CEO and founder of ransomware specialist BlackFog.

Williams noted that LockBit has been behind 494 unreported incidents this year, far beyond BlackCat’s 171. 

Brewing international crackdown

As prosecution against individuals linked to LockBit continues at pace, US and international partners could move against the campaign and seal its fate in a manner similar to REvil.

The group, also believed to be Russian-linked, had carried out a number of high-profile ransomware operations from 2019 onwards, including the Kaseya supply chain attack, threats to release Apple schematics, and a $50 million ransom demand against Acer.

In 2020, REvil claimed to have made $100 million from enterprise extortion, but seemingly vanished from the internet in July 2021. Though it resurfaced in September of that year, the group was soon hit by a joint international crackdown revelaed by DoJ and Europol.

Further REvil members were raided by Russia’s Federal Security Service (FSB) in January 2022, with the agency stating at the time that the US had specifically appealed for arrests to be made.

Speaking on the latest LockBit charges, FBI deputy director Paul Abbate stated that the agency, in collaboration with US and international partners, is “fully committed to the permanent dismantlement of these types of ransomware campaigns that intentionally target people and our private sector partners”.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on LockBit providing organizations with detailed descriptions of LockBit tactics, alongside an extensive list of mitigations that can be taken against the group.

These included steps for initial access, such as using email filters and sandboxed browsers, to more advanced system administrator advice covering defense evasion, lateral movement strategies, and steps for remediation in the event of an attack.

CISA also included a list of the common vulnerabilities and exposures (CVEs) that LockBit has been known to exploit, including an improper access control vulnerability in Papercut MF, aas well as remote code execution (RCE) flaws in Fortra GoAnywhere and Log4j2.

Federal organizations will be expected to arm themselves with the information to repel future LockBit attacks, and it can also be used as a repository of useful LockBit information for other enterprises.

LockBit has evolved to a great extent in recent years, growing to fill and exceed the gap left by the seemingly disbanded Conti group. 

Stephen Robinson, senior threat intelligence analyst at WithSecure, said that LockBit has also adapted its strains to include code stolen from variants like BlackMatter, which has helped it to remain effective and avoid being stamped out.

“This really highlights that cyber threat actors are extremely pragmatic and will evolve, adopting methods and tactics that are proven to work,” he said.

“It also shows that just because a threat group is shut down or dissolved it does not mean that the overall threat diminishes, instead the operators of that group will most likely leave and join new groups, simply cross-pollinating ideas and expertise across the industry.”