The FBI was able to identify Astamirov by following the money. They tracked some of the ransom paid by a victim to an account controlled by Astamirov, which provided the connection to the attack and the LockBit group. “According to a criminal complaint obtained in the District of New Jersey, from at least as early as August 2020 to March 2023, Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware. Specifically, Astamirov directly executed at least five attacks against victim computer systems in the United States and abroad”
LockBit is a prolific organization and some of the people involved with them have a lengthy (and impressive) history in the ransomware “profession”. Mikhail Matveev (the third person charged) is thought to have been involved with LockBit, Babuk, and Hive Groups. All three of these groups are well established and certainly on the radar of law enforcement. Matveev is something of a personality in his own right and has claimed he is self-taught and neither surprised nor concerned about the attention from the FBI. He recently said that he felt the news about him in relation to LockBit would be “forgotten very soon”. This is an interesting thing to say in light of the attention he faces now.
Of course, we are talking about a Russian National, who might still in in Russia at a time when there is little to no chance of cooperation between Russia and the US. There is also the challenge faced by US and national law enforcement agencies when it comes to Russian based cyber criminals. Russia has had a well-documented attitude towards these groups that has let them operate with impunity as long as they did not target any Russian entities (state owned or private). This is likely to give Matveev a secure feeling as long as he remains under the umbrella of Russian protection. Matveev may also be directly cooperating with the Russian Government as he has indicated that he wants to take Russian IT to the “next level”. If true, this would only serve to add to his comfort level.
The two arrests are not likely to have much of an impact on LockBit’s operations. The two affiliates, even if found guilty, are not likely to be high up in the food chain and the group appears to have better continuity plans than most legitimate major organizations. I fully expect LockBit to operate with business as usual and might ramp things up in the same manner as other RaaS groups have done. The news of vacancies within the organization and affiliates might just help that along.