Russian hacker linked to LockBit ransomware gang arrested in Canada

Russian-Canadian operator arrested for involvement in large industrial malware group attacks

The arrested Russian-Canadian hacker is linked to LockBit ransomware as the affiliate or allegedly as the operator

The US Department of Justice announced the arrest and charges against the dual Russian and Canadian national for his alleged participation in attacks where LockBit ransomware was distributed worldwide. Michail Vasiliev, 33, has been taken into custody and is awaiting extradition to the United States.^[1] There it is likely that the operator of malicious attacks will get sentenced to a maximum of five years in prison for involvement in cyberattacks.^[2]

The arrest on October 26th was the result of an investigation led by the french National Gendarmerie with the help of Europol's European Cybercrime Centre. The FBI and Canadian Royal Canadian Mounted Police also were involved. During the arrest, agents managed to seize eight computers, 32 external hard drives, and at least 400,000 euros in cryptocurrency, according to reports.^[3]

Vasiliev was charged with conspiracy to transmit ransom demands and to intentionally damage computers. The arrest is the result of an investigation that took two and a half years of analysis into the LockBit ransomware group. The particular malware has victims in various countries besides the United States and Canada.

One of the world's most prolific ransomware operators has been arrested on 26 October in Ontario, Canada

Europol also added that this is one of the high-value targets for the agency since this operator was involved in various high-profile ransomware cases. He is known for extorting money from victims, and those demands range from 5 to 70 million euros.^[4]

Possible affiliate or the creator of LockBit ransomware?

Agencies describe the hacker as the potential operator of this notorious malware strain LockBit ransomware^[5], and it is possible that he is likely responsible for these campaigns. However, it can be untrue since the hacker might only be an affiliate only, not the main manager of cybercrime campaigns or creator of the malware.

The fact that the publicly known malware group responsible for these LockBit ransomware operations, LockBitSupp, has been active on hacker forums recently makes the theory of affiliates more believable. LockBit ransomware has claimed at least a thousand victims in the United States and has collected tens of millions of dollars in ransom payments from these victims.

This ransomware first emerged back in 2019 and was one of the major groups dabbing into the rnsmware-as-a-service^[6] operations. It launched the new version in June 2022, and these victim statistics and reports skyrocketed in the media. The group is linked to at least 160 attacks during September and October alone.

Links to particular victims and ransomware operations

The particular search of the hackers' home revealed various details, files, and data on devices. Those are suspected to be the list of particular victims of the ransomware and screenshots of communications exchanged with the LockBitSupp group via the Tox messaging application.

Also, a text file with instructions to deploy LockBit ransomware got located source code of the malware, a website that is believed to be the control panel operated by the group that manages those malware attacks.

Threat actor devices stored files with computer screen pictures showing usernames and passwords of various platforms belonging to employees of the LockBit victims in Canada. Those attacks linked to these credentials were confirmed to take place around January 2022.