The U.S. Justice Department said Thursday that it had charged a dual Russian-Canadian citizen with allegedly participating in one of the most prolific ransomware operations in the world.
Mikhail Vasiliev, 33, was arrested Wednesday in Canada and is awaiting extradition to the United States, the Justice Department said.
According to court papers, Vasiliev, a resident of Bradford, Ontario, allegedly participated in a ransomware campaign using a malware variant known as LockBit.
In a ransomware attack, cybercriminals use malicious software such as LockBit to encrypt data stored on a victim's computer and then demand a ransom payment in exchange for a key to unlock the files.
The arrest is a victory for the Justice Department. Cybercriminals are rarely arrested and prosecuted because they often operate out of U.S. law enforcement's reach in countries with which the U.S. has no extradition treaty.
“This arrest is the result of over 2-1/2 years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” Deputy Attorney General Lisa O. Monaco said in a statement. "Let this be yet another warning to ransomware actors: Working with partners around the world, the Department of Justice will continue to disrupt cyber threats and hold perpetrators to account."
In recent years, ransomware attacks have surged as cybercriminals have targeted U.S. schools, health care companies, energy facilities and local governments.
Last year, a ransomware attack on U.S.-based Colonial Pipeline forced the pipeline operator to shut down its entire network along the East Coast.
Partly in response to the attack, the Justice Department the following month launched a new task force to combat ransomware.
Like other ransomware variants, LockBit operated through something called “ransomware-as-service,” where developers create the malware and recruit cybercriminals to use it in attacks, according to a criminal complaint unsealed on Thursday.
The criminal complaint described LockBit, which it said first appeared around January 2021, as "one of the most destructive ransomware variants in the world."
"In many instances, LockBit perpetrators have posted highly confidential and sensitive data stolen from LockBit victims to a publicly available website under their ownership and control," the complaint said.
Vasiliev and others involved in the conspiracy have allegedly carried out at least 1,000 ransomware attacks in the United States and around the world, demanding at least $100 million in ransom payments and receiving tens of millions of dollars, according to the criminal complaint.
The complaint did not name any victims.
The FBI has been investigating LockBit since March 2020.
In August, according to the complaint, Canadian authorities executed a search of Vasiliev's home in Ontario, recovering a computer file with "a list of what appears to be either prospective or historical cybercrime victims."
During a subsequent search last month, Canadian law enforcement seized Vasilev's laptop, obtaining evidence linking him to LockBit's site hosted on the dark web and to a cryptocurrency payment he had received from a victim just six hours earlier.
On the list of victims recovered from Vasiliev's home in August was a New Jersey business that suffered a confirmed LockBit attack in November 2021, according to the criminal complaint.
In a threat assessment last month, New Jersey cybersecurity officials said they continued to receive reports of ransomware attacks involving LockBit and other variants. They noted that while ransomware attacks decreased overall during the third quarter of 2022, LockBit attacks increased and accounted for more than 40 percent of victims.