US indicts two Russian nationals in LockBit ransomware case

The U.S. Department of Justice unsealed indictments on Tuesday against two alleged members of the LockBit ransomware group, whose enterprise was disrupted in a global operation announced on Monday. The Treasury Department also announced sanctions against the two men.

Russian nationals Artur Sungatov and Ivan Kondratiev — an infamous hacker also known as Bassterlord — “are alleged to have joined in the global LockBit conspiracy … to develop and deploy LockBit ransomware and to extort payments from victim corporations.”

Starting at least in January 2021, Sungatov is believed to have deployed LockBit ransomware against “manufacturing, logistics, insurance, and other companies located in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida, and New Mexico.”

Kondratiev, meanwhile, is alleged to have launched attacks since August 2021 “against municipal and private targets in Oregon, Puerto Rico, and New York, as well as additional targets located in Singapore, Taiwan, and Lebanon.” In a separate indictment unsealed Tuesday in the Northern District of California, Kondratiev is accused of using the REvil ransomware variant in 2020 to extort a company based in Alameda County, which includes Oakland and Berkeley.

Read More: LockBit ransomware gang disrupted by international law enforcement operation

Kondratiev is an infamous figure in the hacking world, having written two manuals that together are a de facto guide on carrying out ransomware attacks. In an interview with Recorded Future News’ Click Here podcast last April, he reiterated claims that he had given up cybercrime, calling himself “an extortionist, retired.”

Researchers have cast doubts on his retirement, saying that he may have adopted a lower profile while managing his group, National Hazard Agency.

“For the companies that were paying me [in ransoms], what I'm making is just pennies for them,” he told Click Here. “I think these companies have enough money to pay all their expenses, and I think people who work for them do not really suffer a lot.”

The two DOJ indictments bring the number of charged LockBit associates to five, although only two of the accused are known to be in custody.

Dual Russian-Canadian national Mikhail Vasiliev — who was charged in November 2022 for his alleged role in LockBit — is currently in custody in Canada awaiting extradition to the U.S., while Ruslan Astamirov is awaiting trial in the U.S. on charges filed last June related to deploying LockBit against victims in Florida, Kenya, France and Japan.

Another accused purveyor of LockBit and other ransomware is Mikhail Matveev, also known as “Wazawaka,” who has a $10 million bounty through the State Department’s Transnational Organized Crime Rewards Program following his indictment last May.

Read More: Police plan week of LockBit revelations after capturing ‘unprecedented’ intelligence

The indictments coincide with a global takedown of LockBit led by Britain’s National Crime Agency, which reportedly involved the destruction of much of the group’s infrastructure as well as the collection of decryption keys to help victims.

Two arrests were announced Tuesday in Ukraine and Poland, but police did not reveal the identities of those detained. As of last year, Kondratiev claimed publicly to live in Russian-occupied Ukraine.

“Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation,” Attorney General Merrick Garland said while announcing the indictments. “LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be the last.”

Correction: A previous version of this article incorrectly stated where an arrest of an alleged LockBit member took place. It was in Poland, not France.