The Department of Justice (DOJ) has announced the arrest of Mikhail Vasliev, 33, for suspected involvement in the global LockBit ransomware attacks that have targeted hundreds of organizations over the past two years.
Vasliev, who is a Russian-Canadian citizen according to BBC News, is currently being held while awaiting extradition proceedings.
“Cyber criminals who damage protected systems, exploit privileged information, or hold for ransom important files and data are a threat to our way of life,” FBI-Newark Special Agent in Charge James E. Dennehy said in a press release announcing the arrest.
“The FBI will not stand idly by while companies and government entities are bled dry or while their systems are corrupted by these criminal opportunists. We will utilize every tool in our arsenal – including our global partnerships – to shut down these types of schemes.”
If convicted, Vasliev could face fines of up to $250,000 or twice the ransom charged to victims, whichever is greater, in addition to 5 years in prison per incident.
LockBit has quickly become a leading ransomware threat.
LockBit is one of the fastest-growing ransomware variants. It functions as a Ransomware-as-a-Service (RaaS) product, with a core organization lending the software to bad actors. When victims pay a ransom, a portion of the ransom is paid to the original LockBit group.
LockBit infections progress quickly and automatically, without much human oversight. Several versions of the software have been released, with each implementing more powerful protocols to prevent data recovery efforts.
Other key characteristics of LockBit:
- The software self-executes without a long dormant phase.
- The executable is hidden on the victim’s system, usually as a PNG (image file) or another common file format.
- After executing, the ransomware encrypts the victim’s data, replacing file extensions with .abcd or .lockbit extensions.
- The victim is led to a ransom message that requests payment via cryptocurrency. Earlier versions of LockBit used a tor browser for this ransom message, but LockBit 3 typically uses a standard web browser.
While the LockBit group claims to operate by a “code of ethics,” independent analysts have noted that the attacks often target healthcare organizations, charities, and educational institutions.
The suspect’s involvement in LockBit was not immediately clear.
According to the FBI’s press release, Vasliev is charged with intentionally damaging protected computers and transmitting “ransom demands in connection with doing so.”
“This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” Deputy Attorney General Lisa O. Monaco said.
“It is also a result of more than a decade of experience that FBI agents, Justice Department prosecutors, and our international partners have built dismantling cyber threats. Let this be yet another warning to ransomware actors: working with partners around the world, the Department of Justice will continue to disrupt cyber threats and hold perpetrators to account. With our partners, we will use every available tool to disrupt, deter, and punish cyber criminals.”
Will LockBit continue to pose a cybersecurity threat?
The FBI’s press release indicates that the suspect may be a low-level actor; to date, we have not seen evidence that the LockBit origination group is materially involved with carrying out attacks.
Whether Vasliev is a ransomware distributor or one of the individuals who developed the malware, it’s likely that LockBit will remain a global cybersecurity threat. However, aggressive prosecution of bad actors can certainly impact ransomware distribution schemes.
And LockBit’s origination group has encountered other problems in recent months: In September, a Twitter user distributed the ransomware’s builder, which could enable other ransomware groups to use and refine LockBit’s methods (without paying a portion of collected ransoms to the origination group).
LockBit is popular, but less robust than other ransomware variants.
At Datarecovery.com, we’ve developed methods for resolving most LockBit infections, including attacks that use the latest version of the software (currently, LockBit 3.0).
While LockBit works quickly, it has more vulnerabilities than other types of ransomware. The creators seem aware of this problem — the LockBit group offers payment to researchers who can find vulnerabilities in their code via a “bug bounty” program, which offers rewards of up to $1 million. Needless to say, participating in the “bug bounty” is quite illegal.
For LockBit infections, the chances of a successful data recovery depend on several factors:
- The amount of time since the initial infection. LockBit spreads quickly, and we recommend disconnecting any exposed volumes as soon as the infection has been identified.
- The total number of volumes infected.
- The version of LockBit (ABCD, LockBit 2.0, or LockBit 3.0) used. Newer versions of LockBit are more robust, but all versions of the software have vulnerabilities that can be exploited by data recovery teams.
- The size and complexity of the infected files. Larger files (such as databases) are actually better candidates for recovery.
If you’ve encountered a LockBit ransomware infection, we’re here to help. Call 1-800-237-4200 to discuss your case with a ransomware expert or click here to schedule an evaluation online.