Member of LockBit ransomware group sentenced to 4 years in prison

The bars of a prison cell are depicted with a man's hand turning a key in the lock of the cell door.

Getty Images | Charles O’Rear

A dual Canadian-Russian national has been sentenced to four years in prison for his role in infecting more than 1,000 victims with LockBit ransomware and then extorting them out of tens of millions of dollars.

Mikhail Vasiliev, a 33-year-old man who most recently lived in Ontario, Canada, has been arrested in November 2022 and charged with conspiring to infect protected computers with ransomware and sending ransom demands to victims. Last month, he pleaded guilty to eight counts of cyberextortion, mischief and weapons charges.

During an October 2022 raid on Vasiliev’s home in Bradford, Ontario, Canadian law enforcement agents found Vasiliev working on a laptop that displayed a LockBit control panel login screen, which the members used to carry out attacks. Investigators also found a seed phrase for a Bitcoin wallet address that was linked to another wallet that received a payment from a victim who was infected and extorted by LockBit.

During a previous search, investigators found a file named “TARGETLIST” stored on one of Vasiliev’s devices, FBI agents said in a statement. court document. The filing contained a list of what appeared to be potential or historical cybercrime victims targeted by LockBit. Investigators also discovered:

  • Screenshots of message exchanges with someone with the username LockBitSupp, a nickname used by one or more of LockBit’s core members. The messages discussed the status of stolen data stored on LockBit servers and a confirmed LockBit victim located in Malaysia.
  • A text file titled “LockBit Linux/ESXi locker V: 1.1” that included what appeared to be instructions for deploying LockBit ransomware.
  • Photographs of a computer screen displaying the usernames and passwords of devices belonging to employees of a confirmed LockBit victim who was infected in January 2022.

LockBit has been operating since at least 2019 and was also known as “ABCD” in the past. In three years, the group’s malware was the most widely distributed ransomware. Like most of its peers, LockBit operates under what is known as ransomware-as-a-service, in which it provides software and infrastructure to affiliates who use it to carry out the actual hacking. LockBit and affiliates then split the resulting revenue. Hundreds of affiliates participated. The FBI said last month that LockBit has extorted more than $120 million from thousands of victims around the world to date.

Last month, the FBI said it and partner law enforcement agencies around the world had dealt a major blow to LockBit by take over most of the server infrastructure the group coordinated the attacks and demanded ransoms from the victims. The takedown occurred after law enforcement officers gained the highest levels of access to the LockBit system and the main web panel that LockBit operators used to communicate.

Authorities said they took control of 14,000 accounts and 34 servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Two LockBit suspects have been arrested in Poland and Ukraine, and five indictments and three arrest warrants have been issued. Authorities also froze 200 cryptocurrency accounts linked to the ransomware operation.

Two days later, researchers detected a new series of attacks which spreads LockBit ransomware. A few days later, a key LockBit member posted a job that said, the police only destroyed part of the group’s infrastructure. LockBit members opened a new dark website that claimed to have hacked several new victims. The new activity has raised concerns among some about LockBit’s viability.

Last week, journalist Valéry Marchive said that most of the hacks claimed on the new site were recycled from previous events occurring in 2022, 2023 and 2024. “The data leaked by the LockBit 3.0 franchise does not appear to be the result of cyberattacks carried out by a very large number of users. chains,” Marchive wrote. LockBit 3.0 was a reference to the newly relaunched group, as the new dark website claims.

Michelle Fuerst, the judge presiding over Vasiliev’s case, said during sentencing Tuesday that Vasiliev was a “cyber-terrorist” whose actions were “planned, deliberate and coldly calculated.” according to CTVNews. The judge also reportedly said the defendant’s actions were “far from victimless crimes” and that he was “motivated by his own greed.”

A lawyer representing the accused said: “Mikhail Vasiliev took responsibility for his actions, and that was reflected in the courtroom today with the sentence that was handed down. »

Leave a comment