Two Russian nations have pleaded guilty to involvement in many LockBit ransomware attacks, which targeted victims worldwide and across the United States.

According to a Justice Department press release on Thursday, Russian national Ruslan Magomedovich Astamirov and Canadian/Russian national Mikhail Vasiliev were both affiliates of LockBit’s ransomware-as-a-service operation.

LockBit affiliates like Vasiliev and Astamirov would identify and breach vulnerable systems on victims’ networks, steal sensitive stored data, and help deploy ransomware payloads to encrypt files.

They would next demand a ransom from victims in exchange for deleting and not leaking the stolen data online and decrypting the victims’ files. If the victims did not pay these ransoms, LockBit would leave the victims’ data permanently encrypted and publish the stolen files, which included highly sensitive information on the gang’s dark web leak site.

According to court documents, Astamirov (aka BETTERPAY, offtitan, and Eastfarmer) deployed LockBit between 2020 and 2023 against at least a dozen victims, including businesses in Virginia, Japan, France, Scotland, and Kenya, collecting at least $1.9 million in ransom payments.

Between 2021 and 2023, Vasiliev (aka Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110) also used LockBit ransomware in at least 12 attacks against victims worldwide, including businesses in New Jersey, Michigan, the United Kingdom, and Switzerland, causing at least $500,000 in damage and losses, according to the guilty plea.

Astamirov was arrested in Arizona in June 2023 and charged with deploying LockBit ransomware. Vasiliev, who was extradited to the United States in June, has already been sentenced to four years in prison by an Ontario court for his involvement in the LockBit ransomware operation.

While a sentencing date has not yet been set, Astamirov could face a maximum of 25 years in prison, while Vasiliev could get a maximum of 45 years.

Six LockBit ransomware members charged in the U.S.

Previous charges and arrests of Lockbit ransomware actors include Mikhail Pavlovich Matveev (aka Wazawaka) in May 2023, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) in February 2024, and Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab) in May 2024.

LockBit surfaced in September 2019 as ABCD and has since claimed and was linked to attacks against many high-profile companies and organizations, including Boeing, the Continental automotive giant, ank of America, the Italian Internal Revenue Service, and the UK Royal Mail.

In February 2024, law enforcement carried out Operation Cronos, taking down LockBit’s infrastructure and seizing 34 servers. These servers contained over 2,500 decryption keys used to create a free LockBit 3.0 Black Ransomware decryptor.

The U.S. Department of Justice and the U.K.’s National Crime Agency estimate that the gang extorted between $500 million and $1 billion following at least 7,000 attacks between June 2022 and February 2024.

However, LockBit is still active, has relocated to new servers and dark web domains, and continues to target victimsand release large amounts of old and new data in response to U.S. and U.K. authorities’ recent takedown of its infrastructure.