Russian man accused of being global ransomware mastermind arrested north of Toronto (msn.com)
A Russian-Canadian man accused of being one of the world’s most prolific ransomware operators behind a string of high-stakes attacks on critical infrastructure and companies has been arrested north of Toronto after an international investigation by European, American, and Canadian police.
When police raided Mikhail Vasiliev’s house in Bradford West Gwillimbury, 60 kilometres north of Toronto, on Oct. 26, officers found him sitting in the garage at a table with an open laptop computer. Police restrained him before he was able to lock his laptop, according to authorities.
On the open laptop, police found a browser window with several open tabs including one titled “LockBit LOGIN,” at a site hosted on a dark web domain, according to allegations.
He is accused of being the mastermind behind LockBit, perhaps the most notorious of recent extortion tools called ransomware, that targets, blocks and locks access to computers and data until a ransom is paid.
The Ontario Provincial Police arrested Vasiliev, 33, but kept it quiet while a large, international response unfolded.
While Vasiliev was charged by the OPP only on gun charges after two weapons and ammunition were allegedly found on the premises, he now faces an extradition request to the United States and attracts keen interest in Europe.
European authorities said he is alleged to have deployed LockBit to attack infrastructure and large industrial groups across the world. Companies in Canada, Europe and the United States have been hard hit.
Europol, the European police agency, said he is allegedly known for his extortionate ransom demands ranging between 5 million to 70 million euros, which is about $7 million to $95 million in Canadian currency.
Investigators from the French Gendarmerie, the FBI, and Europol’s European Cybercrime Centre were deployed to Ontario to jointly conduct investigative measures with Canadian law enforcement authorities, Europol said.
Europol said two guns, eight computers and 32 external hard drives were seized in the search of the home, along with 400,000 euros in cryptocurrencies, which is about $544,000 Canadian.
The timing of the raid seems to have caught Vasiliev by surprise, but that he was likely to be arrested likely didn’t. His home was first raided by Canadian police in August, according to documents filed in U.S. court in New Jersey.
During that raid, officers found a file titled “TARGETLIST” stored on a storage device containing a list of what appears to be prospective or historical cybercrime victims. It included a New Jersey based business that was hit last November, according to an affidavit from FBI Special Agent Matthew Haddad attached to a criminal complaint against Vasiliev.
Canadian authorities also seized screenshots of messages sent on an encrypted platform from “LockBitSupp,” believed to be short for “LockBit Support,” a moniker known by authorities to have been used in ransomware communications. Also found was a file that appears to be instructions for deploying a LockBit attack, according to Haddad.
Police seized source code for a data encryption program and photos of a computer screen showing usernames and passwords belonging to employees of a LockBit victim in Canada that was hit in January.
When police returned to his home last month, and arrested him at his open laptop, officers found further potential evidence, said Haddad. The FBI believes the tab was a LockBit control panel. Files on the computer showed he had working access to the site, the complaint alleges.
Police also found a seed phrase for accessing a Bitcoin wallet. The wallet showed a payment on Feb. 5. The FBI alleges the funds originated as a portion of a ransom payment made six hours earlier by a confirmed LockBit victim. At the time the cryptocurrency deposit was worth about $53,000. This morning the same amount was worth about $18,500.
The OPP would only confirm that guns were seized — and that is all he was charged with in Canada, although the OPP confirmed the arrest is part of a cross-border ransomware investigation. The OPP said it worked with the RCMP’s National Cybercrime Coordination Centre.
Vasiliev’s charges in Ontario are possession of a prohibited weapon, possession of a prohibited or restricted firearm with ammunition, possession of a prohibited device or ammunition, and careless storage of a firearm.
He appeared in court in Orillia the day after his arrest and has been released on bail pending a court appearance next month.
The OPP said their investigation remains active.
The U.S. Attorney’s Office in the District of New Jersey said U.S. charges against Vasiliev were filed on Nov. 9, followed by a request for his extradition to New Jersey.
Two of his alleged accomplices were arrested last year in Kyiv, Ukraine, authorities said. An investigation by French and Ukrainian police led to the arrest of two men accused of being prolific LockBit operators.
Europol said they were part of an organized group that was one of Europol’s high-value targets and at the time, authorities said they continued to search for the “main operator.” Along with the arrests in September 2021, police seized US$375,000 in cash, two luxury vehicles, and froze assets of US$1.3 million in cryptocurrencies.
According to analysts at Blackberry, LockBit ransomware has been particularly damaging.
“LockBit ransomware has been implicated in more cyberattacks this year than any other ransomware, making it the most active ransomware in the world,” according to a report by Blackberry.
LockBit was first detected in 2019, LockBit 2.0 in 2021; and the current version, LockBit 3.0, was detected in June.
“LockBit attacks typically employ a double extortion tactic to encourage victims to pay, first, to regain access to their encrypted files and then to pay again to prevent their stolen data from being posted publicly,” the report says.
LockBit attracted added scrutiny when analysts found it had a special process before launching an attack: It determined where the target’s servers were located and if they were in Russia or one of the former Soviet Union states, it would abort the attack.
• Email: ahumphreys@postmedia.com | Twitter: AD_Humphreys
A Russian-Canadian man accused of being one of the world’s most prolific ransomware operators behind a string of high-stakes attacks on critical infrastructure and companies has been arrested north of Toronto after an international investigation by European, American, and Canadian police.
When police raided Mikhail Vasiliev’s house in Bradford West Gwillimbury, 60 kilometres north of Toronto, on Oct. 26, officers found him sitting in the garage at a table with an open laptop computer. Police restrained him before he was able to lock his laptop, according to authorities.
On the open laptop, police found a browser window with several open tabs including one titled “LockBit LOGIN,” at a site hosted on a dark web domain, according to allegations.
He is accused of being the mastermind behind LockBit, perhaps the most notorious of recent extortion tools called ransomware, that targets, blocks and locks access to computers and data until a ransom is paid.
The Ontario Provincial Police arrested Vasiliev, 33, but kept it quiet while a large, international response unfolded.
While Vasiliev was charged by the OPP only on gun charges after two weapons and ammunition were allegedly found on the premises, he now faces an extradition request to the United States and attracts keen interest in Europe.
European authorities said he is alleged to have deployed LockBit to attack infrastructure and large industrial groups across the world. Companies in Canada, Europe and the United States have been hard hit.
Europol, the European police agency, said he is allegedly known for his extortionate ransom demands ranging between 5 million to 70 million euros, which is about $7 million to $95 million in Canadian currency.
Investigators from the French Gendarmerie, the FBI, and Europol’s European Cybercrime Centre were deployed to Ontario to jointly conduct investigative measures with Canadian law enforcement authorities, Europol said.
Europol said two guns, eight computers and 32 external hard drives were seized in the search of the home, along with 400,000 euros in cryptocurrencies, which is about $544,000 Canadian.
The timing of the raid seems to have caught Vasiliev by surprise, but that he was likely to be arrested likely didn’t. His home was first raided by Canadian police in August, according to documents filed in U.S. court in New Jersey.
During that raid, officers found a file titled “TARGETLIST” stored on a storage device containing a list of what appears to be prospective or historical cybercrime victims. It included a New Jersey based business that was hit last November, according to an affidavit from FBI Special Agent Matthew Haddad attached to a criminal complaint against Vasiliev.
Canadian authorities also seized screenshots of messages sent on an encrypted platform from “LockBitSupp,” believed to be short for “LockBit Support,” a moniker known by authorities to have been used in ransomware communications. Also found was a file that appears to be instructions for deploying a LockBit attack, according to Haddad.
Police seized source code for a data encryption program and photos of a computer screen showing usernames and passwords belonging to employees of a LockBit victim in Canada that was hit in January.
When police returned to his home last month, and arrested him at his open laptop, officers found further potential evidence, said Haddad. The FBI believes the tab was a LockBit control panel. Files on the computer showed he had working access to the site, the complaint alleges.
Police also found a seed phrase for accessing a Bitcoin wallet. The wallet showed a payment on Feb. 5. The FBI alleges the funds originated as a portion of a ransom payment made six hours earlier by a confirmed LockBit victim. At the time the cryptocurrency deposit was worth about $53,000. This morning the same amount was worth about $18,500.
The OPP would only confirm that guns were seized — and that is all he was charged with in Canada, although the OPP confirmed the arrest is part of a cross-border ransomware investigation. The OPP said it worked with the RCMP’s National Cybercrime Coordination Centre.
Vasiliev’s charges in Ontario are possession of a prohibited weapon, possession of a prohibited or restricted firearm with ammunition, possession of a prohibited device or ammunition, and careless storage of a firearm.
He appeared in court in Orillia the day after his arrest and has been released on bail pending a court appearance next month.
The OPP said their investigation remains active.
The U.S. Attorney’s Office in the District of New Jersey said U.S. charges against Vasiliev were filed on Nov. 9, followed by a request for his extradition to New Jersey.
Two of his alleged accomplices were arrested last year in Kyiv, Ukraine, authorities said. An investigation by French and Ukrainian police led to the arrest of two men accused of being prolific LockBit operators.
Europol said they were part of an organized group that was one of Europol’s high-value targets and at the time, authorities said they continued to search for the “main operator.” Along with the arrests in September 2021, police seized US$375,000 in cash, two luxury vehicles, and froze assets of US$1.3 million in cryptocurrencies.
According to analysts at Blackberry, LockBit ransomware has been particularly damaging.
“LockBit ransomware has been implicated in more cyberattacks this year than any other ransomware, making it the most active ransomware in the world,” according to a report by Blackberry.
LockBit was first detected in 2019, LockBit 2.0 in 2021; and the current version, LockBit 3.0, was detected in June.
“LockBit attacks typically employ a double extortion tactic to encourage victims to pay, first, to regain access to their encrypted files and then to pay again to prevent their stolen data from being posted publicly,” the report says.
LockBit attracted added scrutiny when analysts found it had a special process before launching an attack: It determined where the target’s servers were located and if they were in Russia or one of the former Soviet Union states, it would abort the attack.
• Email: ahumphreys@postmedia.com | Twitter: AD_Humphreys
