BARRIE COURT FILE NO.: CR-24-00000009 DATE: 20240312 ONTARIO SUPERIOR COURT OF JUSTICE

BETWEEN:

HIS MAJESTY THE KING – and – MIKHAIL VASILIEV Defendant

Mr. S. Horgan and Ms. C. Weiler, for the Crown Mr. L. Strezos, for the Defendant

HEARD: February 8, 2024

Reasons for Sentence

FUERST J. :

Introduction

[1] From the garage of his Bradford, Ontario home, Mikhail Vasiliev deployed LockBit ransomware, a malicious software designed to block access to computer systems and data. He used it to attack the computer systems of organizations in Canada, and also internationally, and then made demands for ransom payments.

[2] After receiving information from the United States Federal Bureau of Investigation (“FBI”), the Ontario Provincial Police (“OPP”) began its own investigation into Mr. Vasiliev’s activities.

[3] The police determined that Mr. Vasiliev used LockBit ransomware to obtain unauthorized access to the computer systems of a victim company, and encrypted and/or exfiltrated the victim company’s data. He then induced or attempted to induce the victim company to make ransom payments to him in cryptocurrency in exchange for decryption and/or destruction of encrypted and/or exfiltrated data.

[4] The police conducted a search under warrant of Mr. Vasiliev’s garage on October 26, 2022. They seized devices including laptops, computers, and cell phones. Analysis of the various devices showed that Mr. Vasiliev had launched LockBit ransomware attacks on three Canadian companies.

[5] Additionally, at the time of the search, Mr. Vasiliev was found in possession of two loaded, prohibited firearms.

[6] Mr. Vasiliev pleaded guilty to:

i. Three counts of extortion, contrary to s. 346(1.1)(b) of the Criminal Code;

ii. Three counts of unauthorized use of a computer to commit mischief to data under s. 430, contrary to s. 342.1(1) (c) of the Criminal Code; and,

iii. Two counts of possession of a loaded prohibited firearm, contrary to s. 95(1) of the Criminal Code.

[7] Crown and defence counsel agree that a global penitentiary sentence must be imposed for the offences that Mr. Vasiliev committed in Canada, but they differ as to its length.

[8] To be clear, any international cyber threat activity in which Mr. Vasiliev may have engaged was not before me for adjudication. It is not a component of the offences for which I sentence him today.

The Circumstances of the Offences

(a) Investigative Overview

[9] In September 2020, the OPP was advised by the FBI that it was investigating alleged cyber-criminal conduct involving Mr. Vasiliev. From September 2020 to July 2021, the OPP received background information from the FBI regarding their investigation into various threat actors who were using ransomware to victimize individuals and corporations in the United States and internationally.

[10] FBI investigators obtained search warrants, analyzed records provided by Google, completed considerable open-source investigations, and analyzed extensive activity on two criminal online forums, Exploit.in and Verified. The information the FBI provided to the OPP identified Mr. Vasiliev as an individual who operated on those two online criminal forums using the moniker [redacted]. The FBI provided the OPP with the records and data they had received through judicial authorizations.

[11] As a result of the information received from the FBI, the OPP’s Cybercrime Investigative Team began a parallel investigation into Mr. Vasiliev and his alleged ransomware activities.

[12] Between August 2021 and June 2023, the OPP obtained various judicial authorizations. This included production orders for records relating to IP addresses and phone numbers associated to Mr. Vasiliev; transmission data recorder warrants and tracking warrants to obtain tracking data and transmission data in relation to cell phones and a vehicle related to Mr. Vasiliev; a general warrant to covertly enter and search his home; a general warrant to remotely access any device, network or computer system associated to him, his cryptocurrency wallets, and any online platforms he used to conduct undercover online engagement with identified or suspected criminal associates; a search warrant for his home and vehicle; and a general warrant to use his login credentials found on his devices to access and acquire data from remote servers and the dark web forum websites Verified and Exploit.

(b) The Searches

[13] On August 31, 2022, the OPP covertly entered and searched Mr. Vasiliev’s home pursuant to the general warrant. They photographed and imaged numerous devices including cellular phones, computer systems, and digital storage devices.

[14] On October 26, 2022, the OPP, the FBI, and other law enforcement partners executed the search warrant and general warrant at Mr. Vasiliev’s home. He was found seated in the garage, at a table in front of a laptop running a Remote Desktop Protocol (“RDP”) session. An RDP allows a user to connect a local device to a remote server at a different location. The IP address for the remote server was determined to be Hostkey USA Inc., a hosting service provider with operations in New York. Within two days of the OPP’s search, the remote server was wiped of all stored data. Mr. Vasiliev, who was in custody at the time, had no knowledge of this, nor did he direct that it be done.

[15] Subsequent analysis of the laptop and the RDP session revealed that one of the browser windows was open with a tab “LockBit LOGIN” hosted at a particular LockBit TOR domain on the dark web. Analysis of the RDP session revealed that Mr. Vasiliev had previously navigated to various subdomains within the LockBit domain, and had already successfully entered a private key at a preliminary authentication stage allowing him to continue to that domain.

[16] During the search, the OPP located multiple seed phrases for Bitcoin wallet addresses that were connected to ransom payments made as a result of the deployment of LockBit ransomware in Canada and elsewhere.

[17] Approximately 41 devices (cellular phones, laptops, computers, digital storage devices, and cameras) were seized. Analysis of the contents of those devices continues to date. Investigative analysis focused on six key devices that stored confidential victim data from organizations that form the basis for the charges to which Mr. Vasiliev has pleaded guilty, as well as other organizations in Canada, the United States and elsewhere. The devices contained what appeared to be research about various organizations, including their gross revenues and potential vulnerabilities that could be exploited.

(c) The Firearms

[18] During the search of the garage on October 26, 2022, police found a large black backpack containing two prohibited firearms and magazines filled to capacity with ammunition. Specifically, police located a Glock 19 semi-automatic handgun in a case with two magazines, and a Ruger semi-automatic handgun in a case with two magazines.

[19] On October 26, 2022, Mr. Vasiliev was arrested and charged with firearms-related offences.

(d) American Cybercrime Charges and Extradition Proceedings

[20] In November 2022, the District of New Jersey charged Mr. Vasiliev in relation to his participation in the LockBit ransomware campaign. The American charges include conspiracy to “intentionally damage protected computers” and extorting money for threats “to cause damage to a protected computer”. Extradition proceedings were initiated in the Ontario Superior Court of Justice, Central East Region.

(e) Canadian Cybercrime Charges

[21] The police investigation determined that Mr. Vasiliev launched LockBit ransomware attacks on three Canadian victims: Crestline Coach Ltd., Carol Lake Metal Works, and Transat Telecom. That activity is the subject of the charges to which Mr. Vasiliev pleaded guilty.

(i) Crestline Coach Ltd.

[22] Crestline Coach Ltd. (“Crestline”) is a Canadian vehicle manufacturing company based in Saskatoon. At 5:00 a.m. on May 7, 2021, Crestline’s Senior Director of IT and CEO in one province discovered unusual activity happening within the company’s server domains in another province. Mr. Vasiliev had accessed the company’s system and, using LockBit ransomware, had begun to take actions to restrict the company’s ability to access its data. Mr. Vasiliev’s attack essentially shut down all computer systems and applications.

[23] Mr. Vasiliev gained access to Crestline’s systems through a faulty Outlook or VPN server. A subsequent forensic review of Crestline’s systems indicated that the infiltration had occurred several weeks before the attack.

[24] The attack compromised Crestline’s enterprise resource planning (“ERP”) software, which handles important business functions including procurement, payroll, costing, and financial reporting. Accordingly, all of Crestline’s operations, including production, were shut down for approximately ten days. The shutdown affected 203 company employees. Only some employees were able to complete partial work using paper-based information. Of particular concern was the exfiltration of a payroll file, which contained the personal information of numerous employees.

[25] Mr. Vasiliev supplied a ransom note contemporaneous with the attack on Crestline, demanding payment of $500,000 and offering “chat” support. The ransom note promised destruction of the exfiltrated employee information and decryption of other encrypted data, if Crestline paid the ransom. Crestline hired forensic IT specialists to conduct the ransom negotiations with Mr. Vasiliev and make the ransom payment. Although Mr. Vasiliev’s initial ransom demand was $1,000,000, Crestline (through its service provider) ultimately paid approximately $279,203 CAD in Bitcoin to the virtual wallet that Mr. Vasiliev supplied with the ransom note.

[26] Relative to the cost of the ransomware payment, the cost of remediating the attack for Crestline was substantial, calculated to be $363,188. Remediation efforts included fees for forensic IT specialists who conducted a forensic investigation, isolated the data centre from the internal network, changed passwords for all employees, and scoured company devices for any remaining malware fragments. Crestline also incurred significant fees for legal and credit monitoring services to address the privacy concerns associated with the exfiltrated employee information. IT remediation took approximately one week. Remediating the exfiltration of the personal employee information took several months.

(ii) Carol Lake Metal Works

[27] Carol Lake Metal Works (“Carol Lake”) is a mid-sized, privately-owned company that provides a large inventory of steel products as well as welding, machining, and fabrication services to the mining, construction, agriculture, oil and gas, and hydro-electric industries. The company is located in Labrador City, Newfoundland.

[28] Carol Lake’s ERP software allowed the company to keep track of all aspects of the business. On January 6, 2022, Mr. Vasiliev attacked Carol Lake with LockBit 2.0 ransomware. That morning, Carol Lake’s ERP software was not working and would not allow employees to log in. The attack encrypted a large portion of the data on Carol Lake’s server. Carol Lake employees immediately disconnected the company’s systems from the internet, and attempted to patch and recover any holes the ransomware came through.

[29] The next day, January 7, 2022, Carol Lake discovered that the ransomware had again gained access to the company’s systems and disabled the company’s email system. Carol Lake believes that the attacker gained access through a missed cumulative update on their email server.

[30] Mr. Vasiliev’s LockBit 2.0 attack on Carol Lake resulted in every file being encrypted. Mr. Vasiliev orchestrated the attack so that every encrypted directory was accompanied by a ransom note demanding payment for decryption. Like the Crestline attack, the ransom note asked that the company log in to the dark web through a TOR browser, and provided the opportunity to chat with the principal actor of the attack (Mr. Vasiliev) through the TOR. An employee from Carol Lake logged into the TOR to engage in initial discussions with the attacker, but did not receive any answer. After that initial outreach, the company did not log into the TOR again.

[31] Carol Lake was not interested in paying the ransom and, in fact, paid no ransom. Carol Lake instead opted to rebuild its systems from scratch and suffer the loss of some, but not all, of its data.

[32] Mr. Vasiliev’s attack affected all of Carol Lake’s operations in the following manner:

a. Approximately 90 employees and 50 computers, as well as the company’s domain, file, and email servers were impacted;

b. Passwords on the telephone system were changed;

c. Backup systems were compromised;

d. Network attached storage devices were wiped;

e. It took one week to return the accounting software to operational;

f. It took two weeks to decrypt the ERP software;

g. After that, each employee workstation had to be brought back one-by-one from scratch; and,

h. Included in the data exfiltrated was a list of company passwords and login information. Fortunately, no personal information was accessed or exfiltrated.

[33] Despite not paying the ransom demanded, Carol Lake incurred a financial loss as a result of Mr. Vasiliev’s cyber attack, specifically about $113,000 in costs associated with hiring cybersecurity experts to assess and repair the damage from the breach, and revenue lost due to downtime and decreased customer trust.

(iii) Transat Telecom

[34] Transat Telecom (“Transat”) is an internet services provider based in Montreal, Quebec. It provides home phone, internet, and television services to residents of Ontario and Quebec.

[35] On May 12, 2022, Transat was the victim of a LockBit ransomware attack deployed by Mr. Vasiliev. At around 3:00 a.m., Transat employees noticed that the company’s systems were unable to join servers or connect to VPN. All of Transat’s virtual machines were encrypted and unable to run. The ransomware impacted Transat’s billing system, call-centre tools, and user authentication services.

[36] The ransomware inserted a text file into each of the company’s encrypted folders. The text file demanded payment of $1,000,000 to obtain a decryption application to retrieve the company’s data. If the ransomware payment was made quickly, within a certain number of days, the payment would be discounted to $500,000.

[37] Mr. Vasiliev communicated with Transat through a chat function in a TOR browser link that he provided. The chat communications between Mr. Vasiliev and Transat revolved around negotiations of the ransomware payment. Transat’s revenues were too small to justify a $500,000 demand. Ultimately, after a period of five days of chat negotiations, Transat paid $5,000 USD worth of Monero cryptocurrency. Once the ransom was paid, a decryption tool was automatically supplied to Transat within eight hours, restoring access to its data. In addition to the ransom payment, Transat incurred approximately $100,000 in costs associated with remediating Mr. Vasiliev’s cyber attack.

The Victim Impact Information

[38] Victim Impact Statements were received on behalf of two of the companies.

[39] On behalf of Carol Lake, its President wrote that the aftermath of the cyber attack continues. In addition to the company’s significant financial loss, he and the company’s employees have suffered overwhelming emotional distress because of worry about the breach and its implications. Many employees have faced uncertainty about their job security. Some have had their hours of work reduced. In addition, the cyber attack has eroded the trust of the company’s customers, and damaged the company’s reputation.

[40] On behalf of Transat, its Solutions Architect wrote that the company lost customers because of problems related to lost data. It also lost the ability to process new customers for a period of time.

The Circumstances of Mr. Vasiliev

[41] Mr. Vasiliev is 34 years old. He was born in Moscow, Russia. He came to Canada in April 2002 with his parents and sister. Mr. Vasiliev has dual Canadian and Russian citizenship.

[42] Mr. Vasiliev attended high school in York Region. He has no criminal record.

[43] Throughout 2022, Mr. Vasiliev, his wife, and their young son lived in Bradford, Ontario.

[44] Mr. Vasiliev’s wife, who is pregnant, anticipates moving to Russia with their son. Although Mr. Vasiliev is estranged from his father, his mother and stepfather remain supportive of him.

[45] Mr. Vasiliev was arrested on October 26, 2022, on the firearms charges. He spent six days in jail before being released on bail. He was arrested on a provisional arrest warrant on November 9, 2022, and released on extradition bail on December 19, 2022, after 41 days in custody. The conditions of bail required that he be in the presence of a surety at all times both inside and outside his residence, and that he wear a GPS monitoring device. After 125 days, the bail was relaxed so that the presence of a surety was not required when he was in his residence. On December 14, 2023, after being on bail for 359 days, he was arrested for allegedly breaching its terms. He has remained in custody since. In total, he has spent 137 days in pre-sentencing custody, which at one and a half to one I treat as seven months.

The Positions of the Parties

[46] The Crown seeks a global sentence of five years in jail, less time in pre-sentence custody credited at one and a half to one, and some credit for time on bail with restrictive conditions. Mr. Horgan submits that a sentence of three years in jail should be imposed for extortion; a concurrent sentence of one year in jail for unauthorized use of a computer to commit mischief; and for possession of a loaded prohibited firearm, a consecutive sentence of two years in jail. He seeks restitution to the three victim companies in the global amount of $860,881.82; DNA orders; s. 109 orders for life; and an order of forfeiture for all offence-related property and proceeds of crime.

[47] Mr. Horgan submits that denunciation and deterrence must be the primary objectives of sentencing in this case, given the nature of the ransomware extortion offences. Ransomware attacks expose the victim to paralysis of its critical business systems, and the threat of exfiltration and publication of its data if payment is not made. In addition to the significant financial implications, such attacks have a psychological impact. They cause anxiety and fear for the victim’s management team and employees, and also clients and others whose data is at risk. There is a broader social impact as well, because organizations must divert resources to cybersecurity measures to thwart such attacks. Even for a first offender, a penitentiary sentence is required.

[48] On behalf of Mr. Vasiliev, Mr. Strezos seeks a global sentence of four and a half years’ imprisonment, less combined credit for pre-sentence custody and time on a strict house arrest bail, of one year. He submits that the sentence for extortion should be three years, and the consecutive sentence for the firearms offences should be a year and a half. He voiced no objection to the ancillary orders sought by Crown counsel.

[49] Mr. Strezos emphasizes that his client is a first offender who has shown remorse and accepted responsibility for his offences from early in the court process. The defence focused on obtaining core disclosure only. Mr. Vasiliev waived what would have been a lengthy preliminary hearing, and once the case was in the Superior Court the defence made it clear the matter was on a resolution track. Mr. Vasiliev is consenting to extradition to New Jersey to face charges there. Mr. Strezos points out that Mr. Vasiliev did not spend the proceeds of his offences lavishly. Once his Bitcoin wallet is liquidated, close to full restitution will be made to the victims of the Canadian offences. It is mitigating that Mr. Vasiliev suffered some measure of harshness in the conditions of his pre-sentence detention, in that he was locked down approximately fifty per cent of the time.

[50] Both Crown and defence counsel intend that Mr. Vasiliev’s Canadian sentence run concurrently with any sentence imposed in the United States.

The Principles of Sentencing

[51] The Criminal Code sets out a number of principles of sentencing that govern a judge’s determination of the appropriate sentence in any given case.

[52] Section 718 provides that the fundamental purpose of sentencing is to protect society and to contribute to respect for the law and the maintenance of a just, peaceful and safe society. This is achieved by the imposition of just sanctions that have one or more of the following objectives: the denunciation of unlawful conduct and the harm done to victims or the community, deterrence both general and specific, the separation of the offender from society where necessary, rehabilitation, reparation for harm done to victims or the community, and promotion of a sense of responsibility in offenders and acknowledgment of the harm done to victims or the community.

[53] Section 718.1 of the Code provides that a sentence must be proportionate to the gravity of the offence and the degree of responsibility of the offender. Proportionality is the chief organizing principle in determining a fit sentence. See, R. v. Parranto, 2021 SCC 46, at para. 10.

[54] Section 718.2 provides that a sentence should be increased or decreased to account for any aggravating and mitigating circumstances. It sets out various aggravating factors. It also requires that a sentence be similar to those imposed on similar offenders in similar circumstances, that where consecutive sentences are imposed the combined sentence not be unduly long or harsh, that an offender not be deprived of liberty if less restrictive sanctions may be appropriate in the circumstances, and that all available sanctions other than imprisonment that are reasonable in the circumstances and consistent with the harm done to victims or the community should be considered for all offenders.

[55] In every case, the determination of a fit sentence is a fact-specific exercise, not a purely mathematical calculation. As the Supreme Court of Canada put it in R. v. Ferguson, 2008 SCC 6, at para. 15, “The appropriateness of a sentence is a function of the purpose and principles of sentencing set out in ss. 718 to 718.2 of the Criminal Code as applied to the facts that led to the conviction.” The gravity of the offence, the offender’s degree of responsibility, the specific circumstances of the case, and the circumstances of the offender all must be taken into account by the sentencing judge. See, R. v. Lacasse, 2015 SCC 64, at paras. 58 and 143.

Sentencing Parameters

[56] None of the offences to which Mr. Vasiliev pleaded guilty carry a mandatory minimum sentence. However, extortion is punishable by a maximum sentence of life imprisonment. This reflects Parliament’s view of the gravity of the offence.

Analysis

[57] Ransomware strikes, whether committed on government, business, or other entities such as hospitals and public libraries, are attacks not only on the particular organization, but also on the community as a whole. They paralyze the direct victim from carrying on its legitimate daily activities. In so doing, they prevent members of the community from exercising their free choice, and in the case of entities such as governments and hospitals, their right, to obtain services or goods that they need and/or desire. Additionally, members of the public who are clients or customers of the entity are exposed to the risk that their personal information will be disseminated.

[58] In this case, the entities attacked by Mr. Vasiliev were businesses. Commercial activity is essential to a healthy, functioning economy. It generates revenue, and it creates jobs. When businesses are victimized by threat actors like Mr. Vasiliev, their operations are crippled. Employees are prevented from performing the tasks for which they get paid. Expensive remediation steps must be taken. Whether or not a victimized company pays a ransom, it suffers significant financial loss. Its ability to contribute to the community’s economic well-being, both directly and indirectly, is compromised. This is graphically illustrated by the Victim Impact Statements provided on behalf of the Canadian companies targeted by Mr. Vasiliev. As the President of Carol Lake wrote, “Cybercrimes have real-world consequences.”

[59] Cyber attacks on business entities are extremely serious. Sentences imposed on those who acquire and use malicious software to obtain unauthorized access to the computer systems of business entities, and then demand that the victims pay ransom for access to their own data, must be sufficiently severe to denounce such activity. The sentences imposed must also deter both the offender and other like-minded persons from engaging in such conduct. This includes by stripping offenders of the profits of their crimes.

[60] Crown counsel advised that to date there appears to be only one Canadian case in which an offender was convicted and sentenced for committing ransomware attacks. In R. v. Vachon-Desjardins, 2022 ONCJ 43, the offender received a lengthy penitentiary sentence. Over several months, he victimized 17 Canadian entities, as well as others throughout the world. Acting as part of a criminal organization, he breached private computer networks and systems, and hijacked their data. He held the stolen data for ransom, payable in crypto-currency. When ransoms were not paid, he distributed the stolen data. The direct loss to his Canadian victims was at least $2.8 million. At the time of his arrest, he had liquid assets in excess of one million dollars, having already shared his illegitimate gains with unindicted co-conspirators and the developer of the ransomware he used. He pleaded guilty to two counts of extortion, one count of mischief to data, one count of unauthorized use of a computer, and one count of participation in the activities of a criminal organization. He cooperated with the authorities and helped to identify the victims and their losses. He had an unrelated prior criminal record. He was in a position to forfeit substantial assets that could be used to provide partial restitution to his victims. He was sentenced on the basis of a joint submission to a global sentence of seven years in jail. This included four years’ jail for extortion.

[61] The sentence imposed in the Vachon-Desjardins case provides something of a guidepost to determine the appropriate sentence for Mr. Vasiliev. Like Mr. Vachon-Desjardins, Mr. Vasiliev is a cyber-terrorist. As in the case of Mr. Vachon-Desjardins, denunciation and general deterrence, along with specific deterrence, are primary goals of sentencing. Rehabilitation is a lesser consideration, but because Mr. Vasiliev is a first offender it cannot be ignored.

[62] Sentencing is an individualized process. The particular aggravating and mitigating factors in Mr. Vasiliev’s case are important in determining the fit sentence for him.

[63] The aggravating factors include the following:

1. Mr. Vasiliev’s conduct was not spur of the moment. He did not simply stumble upon an Internet advertisement for LockBit ransomware, and casually decide to give it a try out of idle curiosity. His conduct was planned, deliberate, and coldly calculated. He sought out the LockBit ransomware on the dark web, obtained it, and then deliberately deployed it, based on his research into various organizations, their gross revenues, and potential vulnerabilities that could be exploited. His Canadian victims were specifically targeted by him.
2. His conduct was not an isolated lapse in judgement. It spanned a period of about eight months, and involved the victimization of three Canadian companies.
3. The motivation for his criminality was personal gain.
4. The combined financial loss of the victims, including that flowing from the paralysis of their operations and remedial measures, approaches $900,000.
5. In addition, the victim companies, their management teams, and their employees suffered significant psychological damage, including worry about the ability of the companies to operate, the potential for loss of income and jobs, and the prospect of reputational harm.
6. The adverse impact of the cyberattacks extended beyond the victims themselves. In particular, their customers were exposed to the potential dissemination of confidential information. Trust in the victim entities was eroded.
7. Mr. Vasiliev secreted two fully loaded handguns in a backpack in the garage of his home, posing an obvious risk of harm to others.

[64] I also must consider the mitigating factors, which include:

1. Mr. Vasiliev pleaded guilty, which is a sign of remorse and willingness to accept responsibility for his crimes.
2. Through his counsel, he took steps to move the case to resolution from early in the proceedings. He limited his disclosure requests, waived the preliminary hearing to which he was entitled, and focused appearances in the Superior Court on resolution. This saved weeks, if not months, of court time in both the Ontario Court of Justice and the Superior Court of Justice.
3. Mr. Vasiliev consented to extradition to New Jersey. This too saved prosecutorial and court resources.
4. It is anticipated that substantial restitution will be made to the victim companies.
5. Although he is not youthful, Mr. Vasiliev is a first offender.
6. I have virtually no information about the specific conditions of Mr. Vasiliev’s pre-sentencing detention. However, I am aware that lockdowns due to staffing shortages are a “standard operating procedure” of Greater Toronto Area detention centres. I accept that there was some degree of harshness in the conditions of Mr. Vasiliev’s pre-sentencing custody.
7. Mr. Vasiliev has family support in Canada through his mother and stepfather. This will aid in his reintegration into the broader community on his release from jail.

[65] The gravity of Mr. Vasiliev’s offences is significant. They were far from victimless crimes. They had far-reaching consequences. He was the sole perpetrator, motivated by his own greed. His moral blameworthiness is very high.

[66] I do not have information that Mr. Vasiliev’s strict house arrest and electronic monitoring bail conditions actually affected his ability to hold employment, pursue education, attend a place of worship, or engage in other legitimate activities. However, I infer there was some impact on his freedom of movement, even simply his ability to step outside for fresh air. I grant him a credit of three months against the jail term I would otherwise impose. This is in addition to enhanced credit of seven months for pre-sentence custody.

Conclusion

[67] The sentence I impose must send a clear message that there is no place in our digitally dependent society for cybercrime of the kind perpetrated by Mr. Vasiliev. He and other potential threat actors must understand that ransomware attacks are serious crimes that will attract significant jail sentences, even for first offenders.

[68] Absent Mr. Vasiliev’s efforts to move the case to resolution and his consent to extradition, I would impose the global sentence sought by Crown counsel. In light of those factors, however, I am satisfied that a global jail term of four years and six months is appropriate. Against that sentence I credit ten months for pre-sentence custody and time on a strict house arrest bail. That leaves a sentence to serve of three years and eight months in jail.

[69] Mr. Vasiliev, please stand.

[70] I sentence you as follows:

On count 1, to three years in jail;

On count 2, to three years in jail, concurrent;

On count 3, to three years in jail, concurrent;

On count 4, to one year in jail, concurrent;

On count 5, to one year in jail, concurrent;

On count 6, to one year in jail, concurrent;

On count 7, to 18 months in jail consecutive, less seven months for pre-sentence custody calculated on the basis of one and a half to one plus an additional three months’ credit for time on a strict house arrest bail, leaving eight months to serve in jail, consecutive; and,

On count 8, to eight months in jail concurrent.

[71] On each count there is a DNA order. On counts 7 and 8 there are ss. 109(2)(a) and (b) orders for life.

[72] All parties agree that Mr. Vasiliev should receive credit against this sentence of the Ontario Superior Court of Justice for any time he spends in United States custody in respect of the New Jersey charges. For the purpose of calculating the time to be served on this Ontario Superior Court of Justice sentence, Canadian correctional authorities should credit Mr. Vasiliev for each day served in United States custody in respect of the New Jersey charges.

[73] There is a forfeiture order as requested by the Crown for all offence-related property and proceeds of crime.

[74] I order restitution in the global amount of $860,881.82, broken down as follows: $642,391 in favour of Crestline Coach Ltd.; $105,000 in favour of Transat Telecom; and $113,490.82 in favour of Carol Lake Metal Works. The amounts forfeited should be applied to pay these three victims proportionally for their losses, and the restitution orders should be reduced by any amounts repaid to the victims. If there is a residual amount after full restitution is made, the Ministry of the Attorney General (Ontario) will retain it and facilitate a request from the United States Department of Justice to transfer the funds to the appropriate authorities upon receipt of a restitution order from an American court of competent jurisdiction. In the absence of such request, the residual amount will be forfeited to His Majesty the King.

[75] The victim fine surcharge is waived for hardship in the particular circumstances of this case.

Justice M.K. Fuerst

Released: March 12, 2024

NOTE: As noted in court, on the record, this written decision is to be considered the official version of the Reasons for Sentence and takes precedence over the oral Reasons read into the record in the event of any discrepancies between the oral and written versions.

ONTARIO SUPERIOR COURT OF JUSTICE HIS MAJESTY THE KING – and – MIKHAIL VASILIEV Defendant REASONS FOR SENTENCE Justice M.K. Fuerst

Released: March 12, 2024