US sanctions LockBit members after ransomware takedown
The U.S. government has sanctioned two key members of LockBit, the Russian-speaking hacking and extortion gang accused of launching ransomware attacks against victims across the U.S. and internationally.
In a post on Tuesday, the U.S. Treasury confirmed it is sanctioning two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev.
Sungatov and Kondratiev were separately indicted by U.S. prosecutors on Tuesday for their alleged involvement with LockBit.
Kondratiev is also accused of involvement with REvil, RansomEXX and Avaddon ransomware gangs.
“The United States will not tolerate attempts to extort and steal from our citizens and institutions,” said U.S. Deputy Secretary of the Treasury Wally Adeyemo in a statement. “We will continue our whole-of-government approach to defend against malicious cyber activities, and will use all available tools to hold the actors that enable these threats accountable.”
The newly imposed sanctions mean it is now illegal for U.S. businesses or individuals to pay or otherwise transact with those named by sanctions, a tactic typically used to discourage American victims from paying a hacker’s ransom.
Sanctioning the individuals behind cyberattacks makes it more difficult for the individual hackers to profit from ransomware, rather than targeting groups that can rebrand or change names to skirt sanctions.
Those who are caught violating U.S. sanctions law, such as companies paying a sanctioned hacker, can lead to hefty fines and criminal prosecution.
The sanctions dropped hours after U.S. and U.K. authorities announced a global law enforcement operation aimed at disrupting LockBit’s infrastructure and operations. The authorities announced the seizure of LockBit’s infrastructure on the gang’s own dark web leak site, which the group previously used to publish victims’ stolen data unless a ransom was paid.
U.S. prosecutors accuse LockBit’s operators of using ransomware in more than 2,000 cyberattacks against victims in the U.S. and worldwide, making some $120 million in ransom payments since it was founded in 2019.
LockBit has taken credit for hundreds of hacks over the years, including California’s Department of Finance, the U.K. postal service Royal Mail and U.S. dental insurance giant MCNA, affecting millions of individuals’ personal information.
The U.S. sanctions announced Tuesday are the latest round of actions targeting the hackers behind LockBit and other prolific ransomware gangs.
In 2022, Russian-Canadian dual national Mikhail Vasiliev was arrested on allegations of launching multiple LockBit ransomware attacks. A year later, U.S. authorities arrested Ruslan Magomedovich Astamirov under similar allegations. Both suspects remain in custody awaiting trial.
A third suspect, Russian national Mikhail Pavlovich Matveev, was accused of involvement in several ransomware operations, including LockBit. Matveev, who remains at large, was subject to U.S. sanctions in 2023, preventing U.S. victims from paying a ransom to him or his associated ransomware gangs, including Hive and Babuk. The U.S. government also has a $10 million reward for information leading to Matveev’s arrest.
In its announcement Tuesday, the U.S. government did not yet name the suspected LockBit ringleader, who goes by the moniker LockBitSupp. The now-seized LockBit dark web leak site says law enforcement plans to release more information on the alleged leader on Friday, including details of a $10 million bounty for information leading to their location or identification.
Besides sanctions, the U.S. does not ban or otherwise restrict victims from paying a ransom, though the FBI has long advised victims against paying off hackers for fear of perpetuating future cyberattacks. Security researchers say that ransomware victims who pay a ransom are more likely to experience subsequent ransomware attacks.
Read more on TechCrunch:
Why are ransomware gangs making so much money?Why ransomware victims can’t stop paying off hackersDo government sanctions against ransomware groups work?Why extortion is the new ransomware threat
Authorities disrupt operations of notorious LockBit ransomware gang