Readers on my posts will have seen that LockBit are one of the most prolific ransomware gangs currently operating. One of the reasons behind their success is that they operate a business model where they pay monies to anyone who can provide them with an “in” to a target organisation. This model uses affiliates who either conduct initial access operations by hacking victims, or provide the LockBit gang with insider knowledge or credentials to a target organisation.
The number of affiliates are unknown, but one thing is for certain, there are a lot of them all across the globe.
So far in the last seven months in the US, three such affiliates have been arrested and charged with criminal activity.
The first was Mikhail Vasiliev, a 33 yr old Russian national who was arrested in October 2022 in Bradford, Ontario, Canada after an operation led by the French National Gendarmerie, Europol, the FBI, and the Royal Canadian Mounted Police.
During Vasiliev’s arrest, law enforcement agents seized eight computers, 32 external hard drives, two firearms, and €400,000 worth of cryptocurrency from the suspect’s home.
Law enforcement officers also found screenshots of Tox exchanges with ‘LockBitSupp,’ instructions on how to deploy the LockBit’s Linux/ESXi locker and the malware’s source code, as well as “photographs of a computer screen showing usernames and passwords for various platforms belonging to employees of a LockBit victim in Canada, which suffered a confirmed LockBit attack in or about January 2022.
Vasiliev is currently awaiting extradition to the US for formal charges to be applied.
The second charge is that of Mikhail Pavlovich Matveev in May 2023.
Known by various online names such as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, Matveev was charged for his involvement in deploying LockBit, Babuk, and Hive ransomware in attacks targeting organisations within and outside the United States.
I previously wrote about Matveev in blog 137 – Matveev is currently at large.
The third LockBit affiliate is Ruslan Magomedovich Astamirov – A 20 yr old Russian national from the Chechen Republic who was arrested in Arizona on charges relating to committing wire fraud and intentional damage to protected computers along with ransom demands through the use and deployment of ransomware.
The criminal complaint filed in the District Court of New Jersey identifies five specific victims targeted by Astamirov:
- Victim-1 – a business based in West Palm Beach, Florida, sustained a LockBit attack on or about August 15, 2020.
- Victim-2 – a business headquartered in Tokyo, Japan, sustained a LockBit attack on or about September 15, 2020
- Victim-3 – a business based in Virginia, sustained a computer intrusion on or about October 1, 2020
- Victim-4 – a business based in France, sustained a LockBit attack on or about November 18, 2021
- Victim-5 – a business based in Kenya, sustained a LockBit attack in or around March 2023