Police arrest suspected LockBit operator as the ransomware gang spills new data

A dual Russian and Canadian national linked to the LockBit ransomware operation has been arrested over his alleged involvement in attacks targeting critical infrastructure and large industrial groups worldwide.

Mikhail Vasiliev, 33, was arrested in Ontario, Canada on October 26 following an investigation led by the French National Gendarmerie with the help of Europol’s European Cybercrime Centre, the FBI and the Canadian Royal Canadian Mounted Police. During the arrest, police seized eight computers, 32 external hard drives and €400,000 in cryptocurrencies, Europol said.

The arrest follows a similar action in Ukraine in October last year when a joint international law enforcement operation led to the arrest of two of his accomplices.

Europol says Vasiliev, described as “one of the world’s most prolific ransomware operators,” was one of its high-value targets due to his involvement in numerous high-profile ransomware cases. The EU police agency added that he is known for trying to extort victims with ransom demands between €5 to €70 million.

A separate press release from the Department of Justice notes that LockBit has claimed at least 1,000 victims in the United States and has extracted tens of millions of dollars in actual ransom payments from their victims.

Vasiliev is awaiting extradition to the United States, where he is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. If convicted, Vasiliev faces a maximum of five years in prison.

“Yesterday’s successful arrest demonstrates our ability to maintain and apply relentless pressure against our adversaries,” said FBI Deputy Director Paul Abbate. “The FBI’s persistent investigative efforts, in close collaboration with our federal and international partners, illustrates our commitment to using all of our resources to ensure we protect the American public from these global cyber threat actors.”

Brett Callow, a ransomware expert and threat analyst at Emisosft, tells TechCrunch that Vasiliev’s arrest could signal the end of the LockBit operation “as other cybercriminals will lose confidence in the integrity of the operation.

“Unfortunately, the group will probably rebrand, but this is nonetheless a significant arrest,” Callow added. “Vasiliev could well lead law enforcement to others involved in the operation.”

Specific victims targeted by the suspected LockBit operator were not named by Europol. However, France’s involvement in the operation suggests Vasiliev could be linked to a recent attack on French aerospace and defense group Thales.

LockBit, a prominent ransomware operation that’s previously claimed attacks on tech manufacturer Foxconn, U.K. health service vendor Advanced and IT giant Accenture, added Thales to its leak site on October 31. The group claimed to have published data stolen from the company today, which it describes as “very sensitive” and “high risk” in nature. Contents of the data leak include commercial documents, accounting files and customer files, according to LockBit, though the files had not been published at the time of publication.

“As far as customers are concerned, you can approach the relevant organizations to consider taking legal action against this company that has greatly neglected the rules of confidentiality,” a message on the LockBit leak site reads.

In a statement given to TechCrunch, Thales spokesperson Marion Bonnet says the company is “aware of an allegation of data theft by LockBit 3.0” but adds that it has not received any direct ransom notification. “We carefully monitor every allegation related to data theft,” Bonnet added. “A dedicated team of security experts systematically investigates this type of situation as security of data remains our key priority.”

LockBit also claims to have today leaked 40 terabytes of data stolen from German automotive giant Continental, and samples of the data suggest that the gang has accessed technical documents and source code. Though a ransom demand was not explicitly stated, the ransomware gang’s leak page claims to offer access to the full tranche of stolen data for $50 million.

Continental spokesperson Marc Siedler told TechCrunch that the company’s investigation into the incident has revealed that “attackers were also able to steal some data from the affected IT systems,” but refused to say what types of data were stolen or how many customers and employees have been affected.

Updated on November 11 with comment from Thales.