Europol announced the arrest of a Russian-Canadian national linked to the LockBit ransomware attacks against critical infrastructure and large industrial groups.
The October 26 arrest followed months of investigation by the European Cybercrime Centre (EC3) led by the French National Gendarmerie assisted by the Canadian Royal Canadian Mounted Police (RCMP) and the United States Federal Bureau of Investigation (FBI).
Authorities disclosed that they seized eight computers, 32 external hard drives, two firearms, and cryptocurrency worth about €400,000 from the suspect’s Canadian home.
Alleged LockBit ransomware operator arrested in Canada was a “high-value” target
Mikhail Vasiliev, 33, of Bradford, Ontario, Canada, was considered a high-value target in the ransomware operation due to his alleged involvement in high-profile ransomware attacks. Law enforcement authorities said Vasiliev was notorious for demanding large ransoms between €5 million and €70 million ($5.1 million to $71.4 million).
However, the suspect is more likely to be a prolific affiliate utilizing LockBit ransomware-as-a-service (RaaS) infrastructure to compromise victims for commissions after ransom payment. Thus, his arrest would not impact the main LockBit ransomware operation, although it would reduce the number of successful attacks from experienced affiliates.
Mounting evidence against LockBit ransomware operator
In August 2022, Canadian authorities searched the suspect’s home and discovered various pieces of evidence that led to the arrest.
The evidence included chats between the suspect and LockBit ransomware’s support ‘LockBitSupp’ instructing him on deploying LockBit’s Linux/ESXi locker. Additionally, they obtained screenshots of a victim’s computer displaying usernames and passwords for various platforms. They also discovered a file named TARGETLIST containing the names of past and prospective victims, including businesses that suffered a LockBit ransomware attack in 2021. Other crucial pieces of evidence include the source code of a program that could encrypt data and a laptop connected to LockBit’s control panel.
Court documents seen on November 10 show that the U.S. Department of Justice (DoJ) has indicted Vasiliev. He’s currently awaiting extradition to the United States to answer for international crimes.
The 33-year-old will be charged with conspiracy to intentionally damage protected computers and to transmit ransom demands and faces up to five years in prison, a fine of $250,000 or twice the proceeds of cybercrime if greater.
Deputy Attorney General Lisa O. Monaco said Vasiliev’s arrest resulted from a two and a half years investigation into LockBit ransomware and decades of FBI’s experience in dealing with cybercrime.
Ongoing arrests of ransomware operators
Europol disclosed that two of his accomplices had been arrested in Ukraine in 2021 in a different operation. The duo was accused of, among other things, laundering the proceeds of cybercrime. However, the multinational law enforcement agency could not divulge more details to maintain operational integrity.
Similarly, Ukraine authorities had earlier arrested other members of the Clop and Egregor ransomware groups during the operation.
In October 2021, Europol announced the arrest of 12 suspects from various ransomware groups, including Dharma, LockerGoga, and MegaCortex, with over 1,800 victims from 71 countries.
LockBit ransomware’s rapid success in cybercrime enterprise
The LockBit ransomware operation began in 2019, with its ransomware-as-a-service activities launching in 2021. Since then, the LockBit ransomware group emerged as a top advanced persistent threat actor responsible for half of all ransomware attacks in 2022.
According to a criminal complaint filed in a U.S. District Court in New Jersey, the LockBit ransomware operation has impacted over 1,000 victims in the United States and around the world. The international extortion operation has earned cybercriminals tens of millions of dollars in ransom payments from their victims after demanding more than $100 million.
LockBit ransomware victims include IT consulting giant Accenture which was compromised in August 2021 with six terabytes of data stolen and #50 million demanded in ransom, German auto parts maker Continental, and UK’s rail service Merseyrail. Others include tech giant Foxconn, NHS vendor Advanced, and alleged data theft on French aerospace company Thales.
