Latest arrest places LockBit firmly in the crosshairs of international cyber police
The threat group could be set for a fate reminiscent of REvil


The Department of Justice (DoJ) has charged a third member allegedly associated with the LockBit ransomware operation, showing that law enforcement is continuing its firm stand against the group.
Russian national Ruslan Magomedovich Astamirov has received charges for conspiracy to commit wire fraud, damage computers, and damage computers for ransom while a member of the LockBit campaign.
He faces 20 years in prison for the first charge and five for the second, with both also carrying a potential fine of $250,000 or twice what was lost or gained from the offense.
Astamirov is the latest in a string of defendants charged with extorting victims through the use of LockBit ransomware, as international law enforcement ramps up its efforts to put an end to the RaaS operation.
RELATED RESOURCE
In May, the DoJ offered a $10 million reward for information that could lead to the arrest of Mikhail Pavlovich Matveev, another hacker charged with criminal activity using LockBit, Hive, and Babuk ransomware variants.
The DoJ alleged that Astamirov had operated a number of email and IP addresses used to spread LockBit ransomware, and that a victim’s ransom payment was traced to a digital currency address held by the defendant.
“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” said US attorney Philip R. Sellinger for the District of New Jersey.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”
LockBit continues to plague enterprises across the world, with recent attacks including its £33 million ($42 million) Royal Mail ransom attempt.
"When it comes to publicly reported ransomware attacks, our data shows that LockBit leads with 17.6% of all attacks, followed by BlackCat at 16.9%,” said Dr Darren Williams, CEO and founder of ransomware specialist BlackFog.
Williams noted that LockBit has been behind 494 unreported incidents this year, far beyond BlackCat’s 171.
Brewing international crackdown
As prosecution against individuals linked to LockBit continues at pace, US and international partners could move against the campaign and seal its fate in a manner similar to REvil.
The group, also believed to be Russian-linked, had carried out a number of high-profile ransomware operations from 2019 onwards, including the Kaseya supply chain attack, threats to release Apple schematics, and a $50 million ransom demand against Acer.
In 2020, REvil claimed to have made $100 million from enterprise extortion, but seemingly vanished from the internet in July 2021. Though it resurfaced in September of that year, the group was soon hit by a joint international crackdown revelaed by DoJ and Europol.
Further REvil members were raided by Russia’s Federal Security Service (FSB) in January 2022, with the agency stating at the time that the US had specifically appealed for arrests to be made.
RELATED RESOURCE
Supply chain as kill chain
Zero Trust is an “always-on everywhere” approach to security
DOWNLOAD FOR FREE
Speaking on the latest LockBit charges, FBI deputy director Paul Abbate stated that the agency, in collaboration with US and international partners, is “fully committed to the permanent dismantlement of these types of ransomware campaigns that intentionally target people and our private sector partners”.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on LockBit providing organizations with detailed descriptions of LockBit tactics, alongside an extensive list of mitigations that can be taken against the group.
These included steps for initial access, such as using email filters and sandboxed browsers, to more advanced system administrator advice covering defense evasion, lateral movement strategies, and steps for remediation in the event of an attack.
CISA also included a list of the common vulnerabilities and exposures (CVEs) that LockBit has been known to exploit, including an improper access control vulnerability in Papercut MF, aas well as remote code execution (RCE) flaws in Fortra GoAnywhere and Log4j2.
Federal organizations will be expected to arm themselves with the information to repel future LockBit attacks, and it can also be used as a repository of useful LockBit information for other enterprises.
LockBit has evolved to a great extent in recent years, growing to fill and exceed the gap left by the seemingly disbanded Conti group.
Stephen Robinson, senior threat intelligence analyst at WithSecure, said that LockBit has also adapted its strains to include code stolen from variants like BlackMatter, which has helped it to remain effective and avoid being stamped out.
“This really highlights that cyber threat actors are extremely pragmatic and will evolve, adopting methods and tactics that are proven to work,” he said.
“It also shows that just because a threat group is shut down or dissolved it does not mean that the overall threat diminishes, instead the operators of that group will most likely leave and join new groups, simply cross-pollinating ideas and expertise across the industry.”

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
How to implement a four-day week in tech
In-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businesses
In-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making