Class aptent taciti sociosqu ad litora

Russian-Canadian National Charged in LockBit Conspiracy

  • November 15, 2022
  • Clayton Rice, K.C.

The United States Department of Justice has unsealed a criminal complaint charging a Russian-Canadian national as a co-conspirator in the LockBit ransomware campaign. The alleged LockBit conspiracy has globally emerged as one of the most active ransomware variants. The complaint filed in the United States District Court, District of New Jersey, alleges that Mikhail Vasiliev of Bradford, Ontario, Canada, conspired to cause damage to a protected computer and extort money by transmitting ransomware demands. He was arrested on November 9, 2022. The United States seeks extradition.

1. Introduction

LockBit has been described as a “data encryption malware” and a “ransomware-as-a-service” (RaaS) in which developers are in charge of the payment site and affiliates sign up to distribute the threat. The malware was developed to encrypt large companies in a few hours in order to prevent detection by security applications and IT/SOC teams. When executed, the ransomware renames the files with the extension “.abcd” after compromising a device. A text file “Restore-My-Files.txt” is then created in all affected folders. The malware is usually launched after a network has been compromised as one of the final stages of infection. LockBit is delivered by a PowerShell demand that has also been observed in other ransomware variants such as Netwalker. (here)

2. Background

The criminal complaint (here) contains a summary of technical terminology and background information that I will discuss for the benefit of anyone who is unfamiliar with how ransomware heists are carried out. The complaint states that the LockBit actors hosted much of its infrastructure on the dark web.

(a) Ransomware

Ransomware is a type of malware used to encrypt data stored on a target’s computer system leaving the data inaccessible to and unusable by the target. It may also transmit data stored on the target’s system to a remote computer. Some types of malware do both. Following a ransomware attack, perpetrators typically demand a payment often by way of cryptocurrency. The demand is accompanied by a threat to either leave encrypted data unusable or publish or sell the data if the ransom is not paid. Ransomware attacks have surged in recent years targeting the energy sector, health care facilities and local governments that I have discussed in previous posts to On The Wire. (here and here)

(b) LockBit

Since 2020, members of the LockBit conspiracy have executed over 1,000 global attacks against targeted systems making approximately $100M in ransom demands and receiving at least tens of millions of dollars in actual ransom payments. In many instances, LockBit actors have posted highly confidential and sensitive data stolen from LockBit victims to a publicly available website under their ownership and control (the “LockBit Data Leak Site”). In this way, LockBit has become one of the most active and destructive ransomware variants in the world. According to statistics reported by Coveware in a 2021 report, LockBit’s market share of ransomware attacks had risen to 7.5%. (here, here and here)

In an article titled US charges suspect linked to notorious ransomware gang published by The Associated Press on November 10, 2022, journalist Eric Tucker reported on statistics published by the cybersecurity firm Palo Alto Networks. (here) During the first five months of this year, LockBit accounted for 46% of all ransomware breaches that were “publicized on extortion sites used by the syndicate to pressure victims by threatening to publicly leak stolen data.” Mr. Tucker went on to state that prominent victims have been identified in the United States, Italy and Germany where a variety of industries from manufacturing to retail have been targeted.

(c) The RaaS Model

The Vasiliev complaint alleges that the LockBit variant operated through the “ransomware-as-a-service” model (RaaS). The RaaS model comprises two groups of ransomware actors: developers and affiliates. The developers design the ransomware and then recruit affiliates to deploy it. The affiliates, in turn, identify vulnerable computer systems, unlawfully access those systems and deploy the ransomware designed by the developers. When targets make ransom payments after successful attacks, the developers and affiliates take a share of the payments.

(d) The Control Panel

The complaint asserts that LockBit relies on a “control panel” for its operation similar to other ransomware variants. In this context, a “control panel” is a software dashboard made available to an affiliate by the developers to provide the affiliate with tools necessary for the deployment of ransomware attacks and to allow developers to monitor the affiliates’ activities. The LockBit control panel allowed affiliates to customize the LockBit ransomware for particular targets; to communicate with LockBit targets for ransom negotiations; and, to publish data stolen from LockBit targets to the LockBit Data Leak Site.

3. The Defendant’s Alleged Participation

The complaint describes evidence obtained by the execution of two search warrants at Mr. Vasiliev’s residence that enabled Canadian law enforcement authorities to discover a “seed phrase” for a Bitcoin wallet address (the “Vasiliev Wallet”). Here is a summary of the alleged significant events.

(a) August 2022 Search

During the execution of the first search warrant, the Canadian police discovered screenshots of message exchanges on the Tox end-to-end-encrypted messaging platform with a user named “LockBitSupp”. The username appeared to be shorthand for “LockBitSupport”. The screenshots also appear to have revealed sensitive login data belonging to employees of a LockBit victim in Canada that sustained a LockBit attack in January 2022.

(b) October 2022 Search

During the execution of the second search warrant, Mr. Vasiliev was found sitting in the garage at a table with a laptop computer when the police entered the residence. He was restrained by the officers before he was able to lock the computer. The investigators discovered a browser with multiple open tabs, including a tab on a site named “LockBit LOGIN” and hosted on a dark web domain called “LockBit Domain”.

(c) The Bitcoin Wallet

During the second search, the police also discovered a “seed phrase” for a Bitcoin wallet address. The blockchain analysis revealed that the wallet received a payment of approximately 0.80574055 BTC on February 5, 2022. The analysis further disclosed that the funds originated from a ransom payment of 2.8759 BTC made six hours earlier by a LockBit target to a wallet address provided by the LockBit conspirators.

4. Conclusion

In a concurrent press release issued by the U.S. Department of Justice on November 10, 2022, Deputy Attorney General Lisa O. Monaco said the arrest of Mr. Vasiliev resulted from an investigation spanning over two and a half years and is the product of multi-agency cooperation including the FBI Newark Field Office, the FBI’s Legal Attache-Ottawa and the Justice Department’s Office of International Affairs. The arrest was described as a “victory for the Justice Department” by Masood Farivar in a piece titled Russian-Canadian National Arrested in Ransomware Conspiracy published by VOA News on November 10, 2022. “Cybercriminals are rarely arrested and prosecuted,” Mr. Farivar wrote, “because they often operate out of U.S. law enforcement’s reach in countries with which the U.S. has no extradition treaty.” (here)

However, Mr. Vasiliev is not beyond the reach of U.S. law enforcement in this case because of its extradition treaty with Canada. (here, here and here) There are, nonetheless, various questions that will only be answered as new information emerges during the extradition process. One of the allegations absent from the criminal complaint is the specific identification of alleged complainants. During the execution of the first search warrant at Mr. Vasiliev’s residence, Canadian investigators discovered a “TARGETLIST” containing “either prospective or historical cybercrime victims.” (para. 3) One victim on the list is identified as a business in New Jersey that sustained a LockBit attack in November 2021. The police also discovered photographs of a computer screen showing usernames for platforms “belonging to employees of a LockBit victim in Canada” which suffered an attack in January 2022. It is uncontroversial under s. 3(1)(b) of Canada’s Extradition Act (here) that the offences allegedly committed in the United States must also constitute offences had they been committed in Canada.

Stay tuned.

Comments are closed.