How the U.S. Is Fighting Russian Ransomware Gangs

The U.S. Department of Justice has sentenced a Latvian national to 102 months in federal prison for his work in a major Russian ransomware organization that attacked more than 54 companies. The case marks the latest conviction in an escalating campaign against cybercrime networks based in Eastern Europe. The defendant was active in the operation from June 2021 through August 2023, and his case shows how modern ransomware attacks often involve criminals spread across multiple countries working together.

Major Ransomware Group Taken Down After Stealing $16 Million

Federal prosecutors have filed charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, both Russian nationals who allegedly led the Phobos ransomware group. This organization attacked more than 1,000 companies and government agencies worldwide while extorting over $16 million in ransom payments. The group used multiple fake names, including "8Base" and "Affiliate 2803," and operated using an "affiliate" model—a setup where the core developers stay hidden while recruiting other criminals to carry out attacks on their behalf.

The Phobos arrests are a significant win for federal prosecutors, who face a major obstacle: Russia has no extradition treaty with the United States. For prosecutors to bring Russian-based criminals to trial, they typically need to catch them traveling outside their home country or secure cooperation from international law enforcement.

A Pattern Linking Criminal Gangs and Russian Government

The Justice Department's recent actions go beyond ransomware gangs to include charges against four Russian government officials tied to attacks on critical infrastructure worldwide. These cases cover cyber activity from 2012 to 2018 and highlight something observers have noticed for years: the line between criminal ransomware operations and Russian state-sponsored hacking is often blurry.

Additional charges have been filed against a Russian-Israeli citizen connected to the LockBit ransomware group in December 2024. Prosecutors have also expanded cases related to WhisperGate, malware designed specifically to destroy computer systems in Ukraine.

The broader context here draws a parallel to what happened in the mid-2000s, when the Justice Department began systematically prosecuting Russian organized crime groups that had shifted from physical crimes to online theft and extortion. Today's enforcement push appears larger in scope—going after both criminal networks and their links to government actors at the same time.

U.S. Treasury Freezes Assets of LockBit Leadership

The U.S. Treasury Department has backed up these prosecutions with financial sanctions—essentially freezing bank accounts and blocking transactions with key ransomware operators. Dmitry Yuryevich Khoroshev, identified as the main operator of the LockBit ransomware group, has been designated under these sanctions for his role in building and distributing the LockBit malware.

The Treasury has also sanctioned Mikhail Matveev for launching cyberattacks against U.S. law enforcement and businesses, along with two other LockBit affiliates. These designations freeze any assets these individuals have in the United States and make it illegal for American companies and citizens to do business with them.

The takedown of LockBit's infrastructure is one of the biggest ransomware enforcement successes on record. At its peak, LockBit was responsible for roughly one-quarter of all ransomware attacks tracked by security researchers.

Why This Matters: A Shift in How the U.S. Fights Cybercrime

The Justice Department is now using a combination of criminal prosecutions, financial sanctions, and infrastructure disruption—deploying multiple tools rather than relying solely on indictments that often go unenforced because defendants never travel to the U.S. to face trial. This shows a maturation in how federal agencies approach cybercrime.

The affiliate model that prosecutors targeted in the Phobos case has become the standard way ransomware operations work. Core developers create the malware and run the operation, while recruiting affiliates to do the actual attacks. This structure lets leaders maintain a layer of distance from the crimes themselves. By prosecuting both the leaders and the affiliate participants, prosecutors are trying to make the business model less profitable and harder to operate.

The timing matters too. The Latvian defendant's operation ran from mid-2021 to mid-2023, which was the period when ransomware gangs became increasingly professional—adding victim research teams, payment processing, and even customer service functions that mimicked legitimate businesses.

The broader pattern in these cases suggests prosecutors are building cases around the entire ecosystem that supports ransomware—not just treating each gang as a separate criminal enterprise. They are connecting the dots between criminal operators, affiliates, and government actors.

Looking ahead, it is worth considering whether these enforcement actions will actually reduce the number and sophistication of attacks. Indictments and sanctions do impose real costs on targeted operations, but the fundamental economic forces that make ransomware attractive—low barriers to entry, high profit margins, and the protection that operating from Russia or allied countries provides—remain in place. The real measure of success will not be the number of convictions announced, but whether attacks against Western targets actually decline.