Russian-Canadian national Mikhail Vasiliev was arrested in Canada on Wednesday over his alleged participation in the LockBit ransomware campaign, which has claimed at least 1,000 victims in the United States.
Thirty-three-year-old Vasiliev is charged with “conspiracy to intentionally damage protected computers and to transmit ransom demands” and, if convicted, faces a maximum of five years in prison. Vasiliev is currently in Canadian custody awaiting extradition to the United States.
Evidence for the charges was collected during two separate police raids on the suspect’s home
The criminal complaint describes two separate police raids of his Ontario home — first in August 2022 and then again the following October. During the first search, Canadian law enforcement discovered screenshots of encrypted messages exchanged with a user named “LockBitSupp” (believed to be shorthand for “LockBitSupport”) and sensitive login data belonging to employees of a confirmed LockBit victim from January 2022.
During the second search, Vasiliev was restrained before he was able to lock his laptop, allowing for a more thorough search of his device. Investigators discovered a file named “TARGETLIST” (believed to be a list of prospective or historical cybercrime victims) as well as an open browser tab on a site named “LockBit LOGIN” hosted on the dark web LockBit Domain.
Authorities also used Vasiliev’s Bitcoin holdings to connect him to the criminal scheme. A seed phrase for a Bitcoin wallet address was found during the October 2022 search, with blockchain analysis revealing the wallet received a payment of approximately 0.80574055 BTC on February 5th, 2022. Funds for this transaction were traced back to a ransom payment of 2.8759 BTC made by a confirmed LockBit victim six hours prior.
LockBit is believed to be responsible for around 44 percent of ransomware campaigns this year
LockBit ransomware is malicious self-spreading software that locks users out of computer systems, holding data “hostage” under threat of posting it to the dark web until a ransom payment is made. Since it was discovered in January 2020, LockBit has become one of the most active ransomware variants in the world and is believed to be responsible for around 44 percent of all ransomware campaigns so far this year, according to Deep Instinct’s 2022 Interim Cyber Threat Report.
LockBit members are believed to have made at least $100 million in ransom demands, with tens of millions of dollars in actual ransom payments extracted from their victims. Earlier this year, the small towns of St. Marys, Ontario, and Frederick, Colorado, were targeted by the group, with LockBit demanding a $200,000 ransom in exchange for not publishing data stolen from Frederick residents.
“This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco.