Member of LockBit ransomware group sentenced to 4 years in prison

A dual Canadian-Russian national has been sentenced to four years in prison for his role in infecting more than 1,000 victims with the LockBit ransomware and then extorting them for tens of millions of dollars.

Mikhail Vasiliev, a 33-year-old who most recently lived in Ontario, Canada, was arrested in November 2022 and charged with conspiring to infect protected computers with ransomware and sending ransom demands to victims. Last month, he pleaded guilty to eight counts of cyber extortion, mischief, and weapons charges.

During an October 2022 raid on Vasiliev’s Bradford, Ontario, home, Canadian law enforcement agents found Vasiliev working on a laptop that displayed a login screen to the LockBit control panel, which members used to carry out attacks. The investigators also found a seed phrase credential for a bitcoin wallet address that was linked to a different wallet that had received a payment from a victim that had been infected and extorted by LockBit.

In an earlier raid, the investigators found a file named “TARGETLIST” stored on one of Vasiliev’s devices, FBI agents said in a court document. The file contained a list of what appeared to be either prospective or historical cybercrime victims targeted by LockBit. The investigators also uncovered:

• Screenshots of message exchanges with someone with the username LockBitSupp, a moniker used by one or more of the main LockBit members. The messages discussed the status of stolen data stored on the LockBit servers and a confirmed LockBit victim located in Malaysia.
• A text file with the heading “LockBit Linux/ESXi locker V: 1.1” that included what appeared to be instructions for the deployment of the LockBit ransomware.
• Photographs of a computer screen showing usernames and passwords for devices belonging to employees of a confirmed LockBit victim that had been infected in January 2022.

LockBit has operated since at least 2019 and has also been known under the name “ABCD” in the past. Within three years, the group’s malware was the most widely circulating ransomware. Like most of its peers, LockBit has operated under what’s known as ransomware-as-a-service, in which it provides software and infrastructure to affiliates who use it to do the actual hacking. LockBit and the affiliates then divide any resulting revenue. Hundreds of affiliates participated. The FBI said last month that LockBit to date has extorted more than $120 million from thousands of victims around the world.

Last month, the FBI said that it and partner law enforcement agencies around the world struck a major blow at LockBit by seizing most of the server infrastructure the group used to coordinate attacks and make ransom demands to victims. The takedown occurred after law enforcement agents gained the highest levels of system access to a LockBit system and the main web panel LockBit operators used to communicate.

Authorities said they seized control of 14,000 accounts and 34 servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK. Two LockBit suspects were arrested in Poland and Ukraine, and five indictments and three arrest warrants were issued. Authorities also froze 200 cryptocurrency accounts linked to the ransomware operation.

Two days later, researchers detected a new round of attacks that spread LockBit ransomware. A few days after that, a key LockBit member published a post that said law enforcement had taken down only some of the group’s infrastructure. LockBit members opened a new dark web site that claimed to have hacked several new victims. The new activity has raised concerns among some that LockBit remained viable.

Last week, journalist Valéry Marchive said that most of the hacks claimed on the new site were recycled from previous events in 2022, 2023, and 2024. “The data leaked by the LockBit 3.0 franchise does not appear to be the result of cyber attacks carried out by a very large number of shackles,” Marchive wrote. LockBit 3.0 was a reference to the newly revived group as claimed on the new dark web site.

Michelle Fuerst, the judge presiding over Vasiliev's case, said during Tuesday’s sentencing that Vasiliev was a “cyber-terrorist” whose actions were “planned, deliberate, and coldly calculated,” according to CTVNews. The judge reportedly also said that the defendant’s actions were "far from victimless crimes" and that he was "motivated by his own greed."

An attorney representing the defendant said: “Mikhail Vasiliev took responsibility for his actions, and that played out in today's courtroom with the sentence that was imposed.”