U.S. law enforcement agencies have charged a dual Russian and Canadian national for allegedly participating in LockBit ransomware attacks. LockBit has emerged as a destructive ransomware family that has been used in attacks against at least 1,000 victims in the U.S. and globally.
The 33-year-old man, Mikhail Vasiliev, is in custody in Canada awaiting extradition to the U.S. The Department of Justice (DoJ) in a Thursday release charged Vasiliev specifically with conspiracy to intentionally damage protected computers and to transmit ransom demands. He faces a maximum of five years in jail if convicted.
Deputy Attorney General Lisa Monaco said in a statement that the arrest is the result of an over two-and-a-half-year investigation into the LockBit ransomware group.
“It is also a result of more than a decade of experience that FBI agents, Justice Department prosecutors, and our international partners have built dismantling cyber threats,” said Monaco. “Let this be yet another warning to ransomware actors: working with partners around the world, the Department of Justice will continue to disrupt cyber threats and hold perpetrators to account. With our partners, we will use every available tool to disrupt, deter, and punish cyber criminals.”
LockBit first emerged in January 2020, and has since grown into one of the most active ransomware groups, particularly after the Conti group closed its operations and shut down all its servers in 2022. Operators of the ransomware have brought in tens of millions of dollars in ransom payments from victims. LockBit has over the past year targeted various organizations globally, including ones in Chile, Italy and the UK, with researchers tracking a variant of LockBit targeting VMware’s ESXi enterprise-class virtual machine platform, as well as multiple LockBit intrusions that were attributed to a threat cluster sharing numerous overlaps with the well-known Evil Corp cybercriminal group.
Brett Callow, threat analyst with Emsisoft, said that the arrest could provide law enforcement with additional insights into how the LockBit operation works and who is involved with it. Knowing this, “I will be very surprised if LockBit continues to operate under that brand name for very much longer,” said Callow.
The U.S. over the past year has made several concerted efforts to weed out key leaders, operators or affiliates that are associated with ransomware attacks. The State Department, for instance, has offered a slew of rewards for more information on members of various ransomware groups, including previous rewards totaling $15 million for the Conti group, $15 million for the DarkSide ransomware, and $15 million for the Sodinokibi (REvil) group.
However, the actual arrest of these individuals oftentimes warrants international cooperation between various law enforcement agencies - which is sometimes difficult when dealing with cybercriminals protected by safe haven countries, enabling them to operate freely within their borders without consequence. In the case of Vasiliev, who was arrested in Canada, the U.S. had help from the French National Gendarmerie, the European Union Agency for Law Enforcement Cooperation (Europol) and the Royal Canadian Mounted Police.
Overall, “the more that people are arrested, the more information that law enforcement agencies will have at their disposal,” said Callow. “In some cases, that will help point to other ransomware operators and enable them to be arrested or operations disrupted.”