Russian man accused of being global ransomware mastermind arrested north

Russian man accused of being global ransomware mastermind arrested north

Breadcrumb Trail Links

  1. World
  2. News
  3. Canada

He is accused of being the mastermind behind LockBit, allegedly responsible for ransom demands ranging between $7 million to $95 million

Get the latest from Adrian Humphreys straight to your inbox

Publishing date:

Nov 10, 2022  •  16 hours ago  •  5 minute read  •  82 Comments Ukrainian officers and officials with European and United States agencies search a home in Kyiv in 2021 after the arrest two men accused of being LockBit ransomware accomplices of a man arrested in Ontario in October.Ukrainian officers and officials with European and United States agencies search a home in Kyiv in 2021 after the arrest two men accused of being LockBit ransomware accomplices of a man arrested in Ontario in October. Photo by Cyber ​​Police Of Ukraine

Article content

A Russian-Canadian man accused of being one of the world’s most prolific ransomware operators behind high-stakes attacks on critical infrastructure and companies has been arrested north of Toronto after an international investigation by European, American, and Canadian police.

Advertisement 2

This advertisement has not loaded yet, but your article continues below.

Article content

When police raided Mikhail Vasiliev’s house in Bradford West Gwillimbury, 60 kilometres north of Toronto, on Oct. 26, officers found him sitting in the garage at a table with an open laptop computer. Police restrained him before he was able to lock his laptop, according to authorities.

NP Posted Banner

NP Posted

Sign up to receive the daily top stories from the National Post, a division of Postmedia Network Inc.

By clicking on the sign up button you consent to receive the above newsletter from Postmedia Network Inc. You may unsubscribe any time by clicking on the unsubscribe link at the bottom of our emails. Postmedia Network Inc. | 365 Bloor Street East, Toronto, Ontario, M4W 3L4 | 416-383-2300

Thanks for signing up!

A welcome email is on its way. If you don’t see it, please check your junk folder.

The next issue of NP Posted will soon be in your inbox.

We encountered an issue signing you up. Please try again

Article content

On the open laptop, police found a browser window with several open tabs including one titled “LockBit LOGIN,” at a site hosted on a dark web domain, according to allegations.

He is accused of being the mastermind behind LockBit, perhaps the most notorious of recent extortion tools called ransomware, that targets, blocks and locks access to computers and private data until a ransom is paid.

The Ontario Provincial Police arrested Vasiliev, 33, but kept it quiet while a large, international response unfolded.

Advertisement 3

This advertisement has not loaded yet, but your article continues below.

Article content

While Vasiliev was charged by the OPP only on gun charges after two weapons and ammunition were allegedly found on the premises, he now faces an extradition request by the United States and attracts keen interest in Europe. He appeared in court in Barrie Thursday on the extradition request, a hearing adjourned until next week.

European authorities said he is alleged to have deployed LockBit to attack infrastructure and large industrial groups across the world. Companies in Canada, Europe and the United States have been hard hit.

Ukrainian officers and officials with European and United States agencies search a home in Kyiv in 2021 after the arrest of two men accused of being ransomware accomplices of a man arrested in Ontario in October. Ukrainian officers and officials with European and United States agencies search a home in Kyiv in 2021 after the arrest of two men accused of being ransomware accomplices of a man arrested in Ontario in October. Photo by Cyber ​​Police Of Ukraine

Europol, the European police agency, said he is allegedly known for extortionate ransom demands ranging between 5 million to 70 million euros, which is about $7 million to $95 million in Canadian currency.

Advertisement 4

This advertisement has not loaded yet, but your article continues below.

Article content

Investigators from the French Gendarmerie, the FBI, and Europol’s European Cybercrime Centre were deployed to Ontario to jointly conduct investigative measures with Canadian police, Europol said.

Europol said two guns, eight computers and 32 external hard drives were seized in the search of the home, along with 400,000 euros in cryptocurrencies, which is about $544,000 Canadian.

The timing of the raid seems to have caught Vasiliev by surprise, but that police would return likely didn’t. His home was first raided by Canadian police in August, according to documents filed in U.S. court in New Jersey.

During that raid, officers found a file titled “TARGETLIST” which appears to be a list of prospective or historical cybercrime victims. It included a New Jersey based business that was hit last November, according to an affidavit from FBI Special Agent Matthew Haddad, that is attached to a criminal complaint against Vasiliev.

Advertisement 5

This advertisement has not loaded yet, but your article continues below.

Article content

Canadian authorities also seized screenshots of messages sent on an encrypted platform from a user named “LockBitSupp,” believed to be short for “LockBit Support” and a moniker known by authorities to have been used in ransomware communications. Also found was a file that appears to be instructions for deploying a LockBit attack, according to Haddad.

Police seized source code for a data encryption program and photos of a computer screen showing usernames and passwords belonging to employees of a LockBit victim in Canada that was hit in January, according to Haddad.

When police returned to his home last month, and arrested him at his open laptop, officers found further potential evidence — the FBI believes the tab was a LockBit control panel. Other files on the computer showed it had working access to the site, the U.S. complaint alleges.

Advertisement 6

This advertisement has not loaded yet, but your article continues below.

Article content

Police also found a seed phrase for accessing a Bitcoin wallet. The wallet showed a payment on Feb. 5. The FBI alleges the funds originated as a portion of a ransom payment made six hours earlier by a confirmed LockBit victim. At the time, the cryptocurrency deposit was worth about $53,000. This morning the same amount was worth about $18,500 after a drop in Bitcoin value.

The OPP would only confirm that guns were seized — and that is all he was charged with in Canada — although the OPP confirmed the arrest is part of a cross-border ransomware investigation. The OPP said it worked with the RCMP’s National Cybercrime Coordination Centre.

Vasiliev faces charges in Ontario of possession of a prohibited weapon, possession of a prohibited or restricted firearm with ammunition, possession of a prohibited device or ammunition, and careless storage of a firearm.

Advertisement 7

This advertisement has not loaded yet, but your article continues below.

Article content

He originally appeared in court in Orillia the day after his arrest and has been released on bail pending a court appearance. The OPP said its investigation remains active. His release conditions include GPS monitoring and for him not to be within 10 kilometres of Pearson international airport nor within 20 kilometres of any land border with the United States.

The U.S. Attorney’s Office in the District of New Jersey said U.S. charges against Vasiliev were filed on Nov. 9, followed by a request for his extradition to New Jersey. He is wanted in Newark for conspiring to damage protected computers and to transmit ransom demands. 

Two of his alleged accomplices were arrested last year in Kyiv, Ukraine. An investigation by French and Ukrainian police led to the arrest of two men accused of being prolific LockBit operators.

Advertisement 8

This advertisement has not loaded yet, but your article continues below.

Article content

Europol said they were part of an organized group that was one of Europol’s high-value targets and, at the time, said officers continued to search for the “main operator.” Along with those arrests in September 2021, police seized US$375,000 in cash, two luxury vehicles, and froze assets of US$1.3 million in cryptocurrencies.

According to analysts at Blackberry, LockBit ransomware has been particularly damaging.

“LockBit ransomware has been implicated in more cyberattacks this year than any other ransomware, making it the most active ransomware in the world,” according to a report by Blackberry.

LockBit was first detected in 2019, LockBit 2.0 in 2021; and the current version, LockBit 3.0, was detected in June.

Advertisement 9

This advertisement has not loaded yet, but your article continues below.

Article content

“LockBit attacks typically employ a double extortion tactic to encourage victims to pay, first, to regain access to their encrypted files and then to pay again to prevent their stolen data from being posted publicly,” the report says.

LockBit attracted added scrutiny when analysts found it had a special process before launching an attack: It determined where the target’s servers were located and if they were in Russia or one of the former Soviet Union states, it would abort the attack.

• Email: ahumphreys@postmedia.com | Twitter: AD_Humphreys

  1. The average payment for Canadian organizations compromised by ransomware is more than $450,000.

    Canadian organizations struggle to defend against ransomware

  2. 
 

<p>” data-src=”https://smartcdn.gprod.postmedia.digital/financialpost/wp-content/uploads/2022/06/cyber-attack-graphic-from-getty-images-620×250-1.jpg?h=96&strip=all&quality=80″ height=”96″ src=”https://smartcdn.gprod.postmedia.digital/financialpost/wp-content/uploads/2022/06/cyber-attack-graphic-from-getty-images-620×250-1.jpg?h=96&strip=all&quality=5″ width=”96″ /></p>
<h3>  LockBit claims Mandiant data will be published, Mandiant says no evidence of theft  </h3>
<p> </a> </li>
</ol>
<p><button type=

    Share this article in your social network

    Get the latest from Adrian Humphreys straight to your inbox

    Advertisement

    This advertisement has not loaded yet, but your article continues below.

    Comments

    Postmedia is committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. Comments may take up to an hour for moderation before appearing on the site. We ask you to keep your comments relevant and respectful. We have enabled email notifications—you will now receive an email if you receive a reply to your comment, there is an update to a comment thread you follow or if a user you follow comments. Visit our Community Guidelines for more information and details on how to adjust your email settings.

    Source

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *