Ontario Man Arrested, Awaiting US Extradition for Alleged Global Ransomware Crimes

Ontario Man Arrested, Awaiting US Extradition for Alleged Global Ransomware Crimes
FBI Director Christopher Wray (R) and Attorney General Merrick Garland speak at a press conference at the Department of Justice in Washington on Oct. 24, 2022. Kevin Dietsch/Getty Images
The Canadian Press
Updated:
0:00
A Russian-Canadian man from Ontario is in police custody and awaiting extradition to the United States for his alleged participation in a global ransomware campaign, the U.S. Department of Justice announced Thursday.

Mikhail Vasiliev, a 33-year-old dual Russian and Canadian national from Bradford, Ont., is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands in connection with his alleged role in the LockBit global ransomware scheme, the department said in a press release.

LockBit is a ransomware variant that has made at least $100 million in ransom demands and extracted tens of millions of dollars in actual payments from victims, according to a court document filed in the District of New Jersey. It first appeared as early as January 2020 and members of the conspiracy have since executed at least 1,000 LockBit attacks against victims in the U.S. and around the world, the document alleged.

Ransomware is a type of malware used by cybercriminals to encrypt data stored on a victim’s computer to render it inaccessible or unusable, transmit that data to a remote computer, or both. After a ransomware attack, perpetrators typically demand a ransom payment from the victim and threaten to publish, sell or prevent access to the stolen data if the money is not paid.

“In many instances, LockBit perpetrators have posted highly confidential and sensitive data stolen from LockBit victims to a publicly available website under their ownership and control,” Federal Bureau of Investigation agent Matthew Haddad wrote in the criminal complaint. “In this way, LockBit has become one of the most active and destructive ransomware variants in the world.”

The document said the FBI began looking into LockBit around March 2020 and concluded that Vasiliev, who faces a maximum of five years in prison if convicted, is an alleged member of the LockBit conspiracy. No contact information for Vasiliev’s legal representatives was immediately available on Thursday.

The criminal complaint against Vasiliev says Canadian police officers searched his Bradford home in August, where they discovered a file containing a list of alleged prospective or previous cybercrime victims.

Also discovered in the search were screenshots of messages discussing topics related to the LockBit campaign, a text file including instructions to deploy a LockBit program against a computer and usernames and passwords for various platforms belonging to employees of a Canadian LockBit victim, documents show.

The complaint further reveals that Vasiliev’s home was raided again on Oct. 26, and upon entering, “Canadian law enforcement discovered Vasiliev sitting in the garage at a table with a laptop, which he was unable to lock before being restrained.”

Investigators found multiple tabs open on the laptop, including one pointing to a site named “LockBit LOGIN”  with a LockBit logo and a login screen hosted at a dark web domain, the document alleged.

It further alleged Canadian law enforcement found a Bitcoin wallet address in Vasiliev’s home during the October raid, which led them to discover that the wallet had received a Bitcoin payment from funds originating from a ransom payment made six hours earlier by a confirmed LockBit victim.

Vasiliev’s arrest is the result of a more than two-and-a-half year investigation into LockBit and more than a decade of experience between FBI agents, Justice Department prosecutors and international partners in dismantling cyber threats, said U.S. Deputy Attorney General Lisa Monaco in a news release.

“Let this be yet another warning to ransomware actors: working with partners around the world, the Department of Justice will continue to disrupt cyber threats and hold perpetrators to account,” Monaco said.