Justice Department disrupts LockBit cybergang, indicts 2 Russian nationals for using ransomware variant

The U.S. Justice Department joined the United Kingdom and other international law enforcement partners to disrupt the LockBit ransomware group, one of the most active ransomware groups in the world, the department announced Tuesday.

The DOJ, the FBI and the U.K.’s National Crime Agency’s (NCA) Cyber Division disrupted the ability of LockBit actors to attack networks, steal data and extort victims in the U.S. and around the world after they seized numerous public websites used by LockBit, which connected the organization’s vital infrastructure, and seized control of servers used by its administrators, it said in a joint statement.

According to the statement, the DOJ and its partners also indicted two Russian nationals for deploying LockBit against numerous victims: Artur Sungatov and Ivan Kondratyev, also known by his online alias ‘Bassterlord.’

‘For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world,’ said Attorney General Merrick B. Garland. ‘Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation. And we are going a step further — we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data. LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be the last.’

LockBit has targeted more than 2,000 victims and has received more than $120 million in ransom payments. It has also made ransom demands totaling hundreds of millions of dollars.

According to the Justice Department statement, the law enforcement agencies also developed new capabilities to decrypt systems and data stolen by LockBit. This new discovery may enable hundreds of victims around the world to restore systems encrypted via the LockBit ransomware variant, the DOJ added.

‘Today, the FBI and our partners have successfully disrupted the LockBit criminal ecosystem, which represents one of the most prolific ransomware variants across the globe,’ said FBI Director Christopher A. Wray. ‘Through years of innovative investigative work, the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organizations around the world. This operation demonstrates both our capability and commitment to defend our nation’s cybersecurity and national security from any malicious actor who seeks to impact our way of life. We will continue to work with our domestic and international allies to identify, disrupt, and deter cyber threats, and to hold the perpetrators accountable.’

Additionally, the department unsealed two search warrants issued in the District of New Jersey for multiple U.S.-based servers used by LockBit members.

According to the indictment, Sungatov allegedly deployed LockBit ransomware against victim corporations and took steps to fund additional LockBit attacks against other victims at least as early as January 2021.

Several U.S. attorneys joined in the effort to prosecute the Russian nationals and praised the indictments as successful progress in clamping down on international criminal activity.

‘Today’s actions are another down payment on our pledge to continue dismantling the ecosystem fueling cybercrime by prioritizing disruptions and placing victims first,’ said Deputy Attorney General Lisa Monaco. ‘Using all our authorities and working alongside partners in the United Kingdom and around the world, we have now destroyed the online backbone of the LockBit group, one of the world’s most prolific ransomware gangs. But our work does not stop here: together with our partners, we are turning the tables on LockBit — providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe.’

‘Today’s indictment, unsealed as part of a global coordinated action against the most active ransomware group in the world, brings to five the total number of LockBit members charged by my office and our FBI and Computer Crime and Intellectual Property Section partners for their crimes,’ said U.S. Attorney Philip R. Sellinger for the District of New Jersey. ‘And, even with today’s disruption of LockBit, we will not stop there. Our investigation will continue, and we remain as determined as ever to identify and charge all of LockBit’s membership — from its developers and administrators to its affiliates. We will put a spotlight on them as wanted criminals. They will no longer hide in the shadows.’

With the indictments unsealed Tuesday, a total of five LockBit members have now been charged with cyber crimes. These include Russian nationals Mikhail Pavlovich Matveev, Mikhail Vasiliev and Ruslan Magomedovich Astamirov.

The LockBit ransomware variant first appeared around January 2020 and has become one of the most active and destructive variants in the world.

The FBI Newark Field Office continues to investigate the LockBit ransomware variant.