Canadian police have arrested a Russian citizen who they say is one of the world’s most prolific ransomware operators behind the LockBit ransomware gang. If true the arrest could be a big blow to the organization.
In a news release today, the European Multidisciplinary Platform Against Criminal Threats (EMPACT) said the man was arrested October 26th in an unnamed Ontario city, following an investigation led by the French National Gendarmerie (Gendarmerie Nationale), with the support of Europol, the RCMP, and the FBI.
The 33-year old Russian national is believed to have deployed the LockBit ransomware to carry out attacks against critical infrastructure and large industrial groups around the world, the release said. He is known for his extortionate ransom demands ranging between €5 to €70 million.
UPDATE: The EMPACT release didn’t name the man. However, the U.S. Justice Department issued a release saying Mikhail Vasiliev, 33, of Bradford, Ont. is in custody in Canada and is awaiting extradition to the United States. Bradford is a town of about 24,000 less than an hour’s drive north of Toronto.
The Ontario Provincial Police said Vasiliev has been charged with a number of firearm offences. He was released on bail in relation to the weapons charges and is scheduled to appear before a judge in Orillia on December 12. The OPP said its investigation continues.
The U.S. Justice Department said a criminal complaint against Vasiliev alleges he committed conspiracy to intentionally damage protected computers and to transmit ransom demands. If convicted, he faces a maximum of five years in prison.
“This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” said U.S. Deputy Attorney General Lisa Monaco. “It is also a result of more than a decade of experience that FBI agents, Justice Department prosecutors, and our international partners have built dismantling cyber threats. Let this be yet another warning to ransomware actors: working with partners around the world, the Department of Justice will continue to disrupt cyber threats and hold perpetrators to account. With our partners, we will use every available tool to disrupt, deter, and punish cyber criminals.”
This arrest is the follow-up to an action carried out in Ukraine in October which led to the arrests of two of his accomplices, the release said.
During the arrest Canadian police seized eight computers, 32 external hard drives, and €400 000 in cryptocurrencies, police said.
The arrest is significant, said Brett Callow, a British Columbia-based threat researchers with Emsisoft. “Ransomware groups do not exist in a vacuum – they work with access brokers, money launderers, etc. – and this person could be a valuable source of information that will result in the arrest of others. Also, this may well be the end of LockBit. The operation is effectively compromised and other cybercriminals will no longer trust it.”
According to researchers at BlackBerry, LockBit ransomware has been implicated in more cyberattacks this year than any other ransomware, making it the most active ransomware in the world.
LockBit victims pay an average ransom of approximately $85,000, BlackBerry said, indicating that LockBit targets small-to-medium-sized organizations.
LockBit was first seen in September 2019. Since then, it has evolved: LockBit 2.0 appeared in 2021; LockBit 3.0, the current version, was discovered in June 2022.
(This story has been updated from the original with the addition of information from the OPP)