The Department of Justice unsealed a superseding criminal complaint filed in the District of New Jersey that charged a dual Russian and Israeli national for being a developer of the LockBit ransomware group.
In August, Rostislav Panev, 51, a dual Russian and Israeli national, was arrested in Israel pursuant to a U.S. provisional arrest request with a view towards extradition to the U.S. Panev is currently in custody in Israel pending extradition on the charges in the complaint.
Most Read on Manufacturing.net:
“Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks,” Attorney General Merrick B. Garland said.
The complaint alleges that Panev developed malware and maintained infrastructure for LockBit, which has attacked thousands of victims and caused billions of dollars in damage. According to Principal Deputy Assistant Attorney General Nicole M. Argentieri, the Criminal Division has now charged seven of LockBit’s key members and arrested three.
Complaints, documents and court statements allege that Panev acted as a developer of the LockBit ransomware group from its inception in or around 2019 through at least February 2024. During that time, Panev and his LockBit co-conspirators grew LockBit into what was, at times, the most active and destructive ransomware group in the world.
The LockBit group attacked more than 2,500 victims in at least 120 countries around the world, including 1,800 in the U.S. Their victims ranged from individuals and small businesses to multinational corporations, including hospitals, schools, nonprofit organizations, critical infrastructure and government and law-enforcement agencies.
LockBit’s members extracted at least $500 million in ransom payments from their victims and caused billions of dollars in other losses, including lost revenue and costs from incident response and recovery. LockBit’s other members, called “affiliates,” carried out attacks and extorted ransom payments from victims. Developers and affiliates would then split ransom payments extorted from victims.
Law enforcement reportedly discovered on Panev’s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of its ransomware malware for particular victims.
On that repository, law enforcement also discovered source code for LockBit’s StealBit tool, which helped its affiliates exfiltrate data stolen through attacks. Law enforcement also discovered access credentials for the LockBit control panel, an online dashboard maintained by developers for affiliates and hosted by those developers on the dark web.
The complaint also alleges that Panev exchanged direct messages through a cybercriminal forum with LockBit’s primary administrator, who, in an indictment unsealed in the District of New Jersey in May, the U.S. alleged to be Dimitry Yuryevich Khoroshev, also known as LockBitSupp, LockBit and putinkrab.
In those messages, Panev and the LockBit primary administrator discussed work that needed to be done on the builder and control panel.
Court documents further indicate that, between June 2022 and February 2024, the primary LockBit administrator made a series of transfers of cryptocurrency, laundered through one or more illicit cryptocurrency mixing services, of approximately $10,000 per month to a cryptocurrency wallet owned by Panev. Those transfers amounted to over $230,000 during that period.
In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by U.S. authorities.
Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software, to deploy malware to multiple computers connected to a victim network and to print the LockBit ransom note to all printers connected to a victim network.
Panev also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.
The LockBit Investigation
The complaint follows a disruption of LockBit ransomware in February by the United Kingdom’s National Crime Agency’s Cyber Division, which worked in cooperation with the Justice Department, FBI and other international law enforcement partners.
As previously announced by the Department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data.
A total of seven LockBit members have now been charged in the District of New Jersey. Beyond Panev and Khoroshev, other previously charged LockBit defendants include:
- In July, two LockBit affiliate members, Mikhail Vasiliev, also known as Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99 and Newwave110, and Ruslan Astamirov, also known as BETTERPAY, offtitan and Eastfarmer, pleaded guilty in the District of New Jersey for their participation in the LockBit ransomware group and admitted deploying multiple LockBit attacks against U.S. and foreign victims. Vasiliev and Astamirov are presently in custody awaiting sentencing.
- In February, an indictment was unsealed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the U.S., including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Sungatov and Kondratyev remain at large.
- In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Mikhail Matveev, also known as Wazawaka, m1x, Boriselcin and Uhodiransomwar, with using different ransomware variants, including LockBit, to attack numerous victims throughout the U.S., including the Washington, D.C., Metropolitan Police Department. Matveev remains at large and is currently the subject of a reward of up to $10 million through the U.S. Department of State’s TOC Rewards Program, with information accepted through the FBI tip website at tips.fbi.gov.
Click here to subscribe to our daily newsletter featuring breaking manufacturing industry news.