Alleged LockBit ransomware operator arrested in Canada

A man with dual Russian and Canadian nationality has been arrested in connection with his alleged part in the LockBit ransomware conspiracy that has demanded more than $100 million from its victims.

LockBit has become one of the world's most active ransomware-as-a-service operations, working with affiliates to exfiltrate data from victims before encrypting files on compromised networks.  If LockBit's victims refuse to pay their extortionists, their data is invariably published on the criminal group's leak website.

33-year-old Mikhail Vasiliev, is now in custody in Canada, awaiting extradition to the United States.  His arrest comes following an investigation by the FBI and its international law enforcement parters that started in March 2020.

When Vasiliev's home in Bradford, Ontario, was searched by Canadian law enforcement in August 2022 they discovered a computer file called TARGETLIST that appeared to contain a list of past and prospective victims, including a business in New Jersey that was hit by LockBit in or around November 2021.

In addition, the criminal complaint against Vasiliev says that screenshots of end-to-end encrypted conversations with the Tux username "LockBitSupp" (assumed to be shorthand for "LockBitSupport") were uncovered, which contained multiple discussions related to the ransomware operation and communication with victims.  Furthermore, source code for a program that would encrypt data, and photographs of a compuetr screen showing usernames and passwords for employees at an organisation hit by LockBit in January 2022.

During a further search on October 26, 2022, officers say they discovered Vasiliev in his garage, sat at a laptop computer.  Tehy were able to restrain Vasiliev before he could lock the computer, and noted that it appeared to be logged in to a LockBit control panel.

Vasiliev is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. If convicted, he could face up to five years in prison.

One of the LockBit group's most high profile victims was IT and consulting giant Accenture, which was struck in August 2021.  The gang claimed to have stolen six terabytes of data from the company's network, and demanded a $50 million ransom.

Other LockBit victims have included Merseyrail, the railway network serving Liverpool and its surroundings in the UK, and most recently German autoparts manufacturer Continental.