Thursday, November 10, 2022

Russian man accused of being global ransomware mastermind arrested north of Toronto

Adrian Humphreys - 

A Russian-Canadian man accused of being one of the world’s most prolific ransomware operators behind high-stakes attacks on critical infrastructure and companies has been arrested north of Toronto after an international investigation by European, American, and Canadian police.



Ukrainian officers and officials with European and United States agencies search a home in Kyiv in 2021 after the arrest two men accused of being LockBit ransomware accomplices of a man arrested in Ontario in October.

When police raided Mikhail Vasiliev’s house in Bradford West Gwillimbury, 60 kilometres north of Toronto, on Oct. 26, officers found him sitting in the garage at a table with an open laptop computer. Police restrained him before he was able to lock his laptop, according to authorities.

On the open laptop, police found a browser window with several open tabs including one titled “LockBit LOGIN,” at a site hosted on a dark web domain, according to allegations.

He is accused of being the mastermind behind LockBit, perhaps the most notorious of recent extortion tools called ransomware, that targets, blocks and locks access to computers and private data until a ransom is paid.

The Ontario Provincial Police arrested Vasiliev, 33, but kept it quiet while a large, international response unfolded.

While Vasiliev was charged by the OPP only on gun charges after two weapons and ammunition were allegedly found on the premises, he now faces an extradition request by the United States and attracts keen interest in Europe. He appeared in court in Barrie Thursday on the extradition request, a hearing adjourned until next week.

European authorities said he is alleged to have deployed LockBit to attack infrastructure and large industrial groups across the world. Companies in Canada, Europe and the United States have been hard hit.



Ukrainian officers and officials with European and United States agencies search a home in Kyiv in 2021 after the arrest of two men accused of being ransomware accomplices of a man arrested in Ontario in October.© Cyber ​​Police Of Ukraine

Europol, the European police agency, said he is allegedly known for extortionate ransom demands ranging between 5 million to 70 million euros, which is about $7 million to $95 million in Canadian currency.

Investigators from the French Gendarmerie, the FBI, and Europol’s European Cybercrime Centre were deployed to Ontario to jointly conduct investigative measures with Canadian police, Europol said.

Europol said two guns, eight computers and 32 external hard drives were seized in the search of the home, along with 400,000 euros in cryptocurrencies, which is about $544,000 Canadian.

The timing of the raid seems to have caught Vasiliev by surprise, but that police would return likely didn’t. His home was first raided by Canadian police in August, according to documents filed in U.S. court in New Jersey.

Related video: Academic with ties to Canada arrested for espionage overseas
Duration 2:12  View on Watch

During that raid, officers found a file titled “TARGETLIST” which appears to be a list of prospective or historical cybercrime victims. It included a New Jersey based business that was hit last November, according to an affidavit from FBI Special Agent Matthew Haddad, that is attached to a criminal complaint against Vasiliev.

Canadian authorities also seized screenshots of messages sent on an encrypted platform from a user named “LockBitSupp,” believed to be short for “LockBit Support” and a moniker known by authorities to have been used in ransomware communications. Also found was a file that appears to be instructions for deploying a LockBit attack, according to Haddad.

Police seized source code for a data encryption program and photos of a computer screen showing usernames and passwords belonging to employees of a LockBit victim in Canada that was hit in January, according to Haddad.

When police returned to his home last month, and arrested him at his open laptop, officers found further potential evidence — the FBI believes the tab was a LockBit control panel. Other files on the computer showed it had working access to the site, the U.S. complaint alleges.

Police also found a seed phrase for accessing a Bitcoin wallet. The wallet showed a payment on Feb. 5. The FBI alleges the funds originated as a portion of a ransom payment made six hours earlier by a confirmed LockBit victim. At the time, the cryptocurrency deposit was worth about $53,000. This morning the same amount was worth about $18,500 after a drop in Bitcoin value.

The OPP would only confirm that guns were seized — and that is all he was charged with in Canada — although the OPP confirmed the arrest is part of a cross-border ransomware investigation. The OPP said it worked with the RCMP’s National Cybercrime Coordination Centre.

Vasiliev faces charges in Ontario of possession of a prohibited weapon, possession of a prohibited or restricted firearm with ammunition, possession of a prohibited device or ammunition, and careless storage of a firearm.

He originally appeared in court in Orillia the day after his arrest and has been released on bail pending a court appearance. The OPP said its investigation remains active. His release conditions include GPS monitoring and for him not to be within 10 kilometres of Pearson international airport nor within 20 kilometres of any land border with the United States.

The U.S. Attorney’s Office in the District of New Jersey said U.S. charges against Vasiliev were filed on Nov. 9, followed by a request for his extradition to New Jersey. He is wanted in Newark for conspiring to damage protected computers and to transmit ransom demands.

Two of his alleged accomplices were arrested last year in Kyiv, Ukraine. An investigation by French and Ukrainian police led to the arrest of two men accused of being prolific LockBit operators.

Europol said they were part of an organized group that was one of Europol’s high-value targets and, at the time, said officers continued to search for the “main operator.” Along with those arrests in September 2021, police seized US$375,000 in cash, two luxury vehicles, and froze assets of US$1.3 million in cryptocurrencies.

According to analysts at Blackberry, LockBit ransomware has been particularly damaging.

“LockBit ransomware has been implicated in more cyberattacks this year than any other ransomware, making it the most active ransomware in the world,” according to a report by Blackberry.

LockBit was first detected in 2019, LockBit 2.0 in 2021; and the current version, LockBit 3.0, was detected in June.

“LockBit attacks typically employ a double extortion tactic to encourage victims to pay, first, to regain access to their encrypted files and then to pay again to prevent their stolen data from being posted publicly,” the report says.

LockBit attracted added scrutiny when analysts found it had a special process before launching an attack: It determined where the target’s servers were located and if they were in Russia or one of the former Soviet Union states, it would abort the attack.

• Email: ahumphreys@postmedia.com | Twitter: AD_Humphreys

No comments: