The Justice Department has charged a Ukrainian national who is allegedly behind the ransomware attacks of at least 200 U.S. companies tied to LockerGoga, MegaCortex, and Nefilim. 

According to the Justice Department’s release on Tuesday, Volodymyr Viktorovich Tymoshchuk (also known as deadforz, Boba, msfv, and farnetwork) allegedly served as an administrator for the three ransomware families. These three ransomware families first publicly emerged between 2019 and 2020, and have been tied to varying attacks on organizations from the U.S., France, Germany, the Netherlands, Norway, and Switzerland. They targeted healthcare institutions, large industrial firms, and financial institutions, and threatened to leak sensitive data online if they refused to pay.

“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division in a statement. “In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored.”

Tymoshchuk and his partners allegedly first compromised victims with LockerGoga and MegaCortex between July 2019 and June 2020 and attempted to extort them. However, the Justice Department said, many of these extortion attempts were not successful due to law enforcement notifying victims that their networks had been compromised before Tymoshchuk actually deployed the ransomware.

Then, between July 2020 and October 2021, Tymoshchuk became the administrator for Nefilim and provided affiliates with access to the ransomware in exchange for 20 percent of the extorted ransom proceeds. One of these affiliates is Artem Stryzhak, who was extradited from Spain and currently faces charges in the Eastern District of New York. 

Tymoshchuk, meanwhile, still remains at large - posing a common issue for the U.S. government when it comes to ransomware operators or affiliates who may reside in “safe harbor” countries despite facing charges in the U.S. or elsewhere. Still, the government has made strides in successfully convicting cybercriminals - in fact, since 2020, the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS) said it has secured the conviction of over 180 cybercriminals, as well as court orders for the return of more than $350 million in victim funds.

In an added attempt at pressure for Tymoshchuk’s arrest, the U.S. government on Tuesday also offered up a reward of $10 million for information leading to his arrest or conviction. The government said it will also pay out up to $1 million for information leading to the arrests of other key leaders of the Nefilim, LockerGoga, and MegaCortex ransomware families.

Law enforcement dealt a blow to LockerGoga and MegaCortex in 2022 when decryption keys for the ransomware variants were made available through an international coordinated effort (specifically via the “No More Ransomware Project,” which aims to help ransomware victims decrypt their systems without paying a ransom). With these keys publicly available, victims could recover data previously encrypted with LockerGoga and MegaCortex, significantly undercutting the power behind both ransomware families.

“For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted,” said U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York in a statement. “Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

Note: Cisco and Duo are no longer affiliated with Decipher.  All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.

  • Recent Posts

  • Recent Comments

    No comments to show.