Office of Public Affairs | “LockerGoga,” “MegaCortex,” and “Nefilim” Ransomware Administrator Charged with Ransomware Assaults

Earlier at this time, the U.S. District Court for the Eastern District of New York unsealed a superseding indictment charging Volodymyr Viktorovich Tymoshchuk — also referred to as deadforz, Boba, msfv, and farnetwork — a Ukrainian nationwide, with serving as an administrator within the LockerGoga, MegaCortex, and Nefilim ransomware schemes.

“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” mentioned Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored. This prosecution and today’s rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible, no matter where they are located.”

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” mentioned U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York. “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

“Volodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims,” mentioned Assistant Director in Charge Christopher G. Raia of the FBI New York Field Office. “Today’s announcement should serve as warning, cyber criminals may believe they act with impunity while conducting harmful cyber intrusions, but law enforcement is onto you and will hold you accountable. The FBI along with our law enforcement partners will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crime.”

“The criminals behind Nefilim ransomware may believe they can profit from extortion and data leaks, but they are wrong,” mentioned Special Agent in Charge Christopher J. S. Johnson of the FBI’s Springfield Field Office. “The FBI is actively pursuing them to disrupt their operations and bring them to justice. We urge all organizations to report these attacks immediately — because every report helps us dismantle these networks and ensure cybercriminals are held accountable.”

As alleged within the superseding indictment, between December 2018 and October 2021, Tymoshchuk used the LockerGoga, MegaCortex, and Nefilim ransomware variants to encrypt pc networks in international locations all over the world, together with within the Eastern District of New York, elsewhere within the United States, France, Germany, the Netherlands, Norway, and Switzerland. These ransomware assaults prompted tens of millions of {dollars} of losses, together with injury to sufferer pc techniques, remediation prices, and ransomware funds to the perpetrators. In these assaults, the perpetrators sometimes personalized the ransomware executable file (the ransomware file liable for encryption) for every ransomware sufferer. The customization allowed the ransomware actors to create a decryption key that would solely decrypt the community of the precise sufferer. If a sufferer paid the ransom demand, the perpetrators would ship a decryption device, which enabled the sufferer to decrypt the pc recordsdata locked by the ransomware program.

Between July 2019 and June 2020, Tymoshchuk and his co‑conspirators are alleged to have compromised the networks of greater than 250 sufferer corporations within the United States and tons of of different corporations all over the world with LockerGoga and MegaCortex. However, many of those extortion makes an attempt have been unsuccessful as a result of regulation enforcement typically notified victims that their networks had been compromised earlier than Tymoshchuk and his co-conspirators have been capable of deploy the ransomware. Subsequently, from July 2020 by October 2021, Tymoshchuk is alleged to have been one of many directors of the Nefilim ransomware pressure. Tymoshchuk and the opposite Nefilim directors offered different Nefilim ransomware associates, together with co‑defendant Artem Stryzhak, who was extradited from Spain and faces fees within the Eastern District of New York, with entry to the Nefilim ransomware in trade for 20 % of the ransom proceeds extorted from Nefilim victims.

In September 2022, as a part of a global coordinated effort in opposition to LockerGoga and MegaCortex ransomware, decryption keys related to these ransomware variants have been made out there to the general public through the “No More Ransomware Project,” an initiative to empower ransomware victims to decrypt encrypted computer systems with out paying a ransom. These decryption keys enabled compromised sufferer corporations and establishments to get better information beforehand encrypted with LockerGoga and MegaCortex ransomware.

Tymoshchuk is charged with two counts of conspiracy to commit fraud and associated exercise in reference to computer systems, three counts of intentional injury to a protected pc, one rely of unauthorized entry to a protected pc, and one rely of transmitting a menace to reveal confidential info.

The FBI is investigating this case.

Trial Attorney Brian Z. Mund of the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorneys Alexander F. Mindlin and Ellen H. Sise for the Eastern District of New York are prosecuting the case.

The Justice Department’s Office of International Affairs offered crucial help, as did the FBI’s Legal Attachés, authorities in France, Czech Republic, Germany, Lithuania, Luxembourg, Netherlands, Norway, Switzerland, and Ukraine, and Europol and Eurojust through ICHIP The Hague.

CCIPS investigates and prosecutes cybercrime in coordination with home and worldwide regulation enforcement companies, typically with help from the non-public sector. Since 2020, CCIPS has secured the conviction of over 180 cybercriminals, and court docket orders for the return of over $350 million in sufferer funds.

Concurrent with the unsealing of the superseding indictment, the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program is providing a rewards totaling as much as $11 million for info resulting in the arrest and/or conviction or location of Tymoshchuk or his conspirators.

Anyone with info on these malicious cyber actors, or related people or entities, ought to contact the FBI through telephone at +1-917-242-1407 or by e-mail at TymoTips@fbi.gov. If you’re within the United States, you too can contact your native FBI area workplace. If outdoors the United States, you possibly can go to the closest U.S. embassy. More details about the TOC reward provide is situated on the State Department website.

An indictment is merely an allegation. All defendants are presumed harmless till confirmed responsible past an affordable doubt in a court docket of regulation.