Canadian man arrested for alleged involvement in LockBit ransomware campaign

On November 10, Europol announced the arrest of 33-year-old Russian-Canadian citizen Mikhail Vasiliev for his alleged participation in the global LockBit ransomware campaign. This ransomware attacked the critical infrastructure of organizations and high profile companies worldwide.

Vasiliev is being held in Canada awaiting extradition to the United States. The United States Department of Justice has charged Vasiliev with “conspiracy to damage protected computers and transmit ransom demands” and faces a maximum of 5 years in prison if convicted.

France’s national gendarmerie led the investigation with the help of Europol’s European Cybercrime Centre, Canada’s Royal Canadian Mounted Police (RCMP) and the FBI.

According to Europol, the LockBit operator was one of Europol’s most valuable targets due to its involvement in many high-profile ransomware cases.

Charged with alleged involvement in ransomware attacks

According to the criminal complaint, there were two raids on Vasiliev’s Ontario home, the first in August 2022 and the other in October. During the first raid, police found screenshots of encrypted messages with a user named “LockBitSupp”, instructions on how to deploy LockBit’s Linux/ESXi locker, and the source code of the malware. As well as sensitive information from employees of a confirmed LockBit victim as of January 2022.

In the second raid, the police caught Vasiliev before he could lock his laptop. This allows for a more thorough search of his laptop. Investigators found a file called “TARGETLIST”. It is believed to be a list of potential victims and an open browser tab hosted on the Dark Web called “LockBit LOGIN”.

With the help of Vasiliev’s bitcoin holdings, the authorities were able to connect him to the criminal scheme. Blockchain analysis of a Bitcoin wallet found at his home revealed that the wallet had received a payment of 0.80574055 BTC on February 5, 2022. Investigators traced the funds for this transaction to a ransom payment of 2.8759 BTC made by a LockBit victim.

This arrest follows a similar action in Ukraine in October 2021, when a joint operation by the FBI, French police and the Ukrainian National Police led to the arrest of two of his accomplices.

What are LockBit ransomware attacks?

LockBit ransomware is malicious, self-propagating software designed to block users from accessing their computer system for ransom payment. Hackers use this ransomware to launch targeted attacks on businesses and other organizations. LockBit was first detected in 2020 and has become one of the most active ransomware variants. That accounts for about 44% of all ransomware campaigns so far this year.