LockBit developer snared in latest blow for infamous hacker group
A ‘key member’ of the LockBit ransomware collective has been charged by US authorities in the latest development of its ongoing quest to shutter the operation.
The US Department of Justice (DoJ) issued a notice on 20 December that Rostislav Panev, a dual Israeli-Russian national, was arrested in Israel and pending extradition for being linked to the infamous hacker group.
Panev is accused of assisting in the development of the malware deployed by the group in their thousands of attacks on businesses and governments around the world since its formation in 2019.
“The criminal complaint alleges that Rostislav Panev developed malware and maintained the infrastructure for LockBit, which was once the world’s most destructive ransomware group and attacked thousands of victims, causing billions of dollars in damage,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division.
The complaint noted that Panev is believed to have acted as a developer of the LockBit operation from its inception in 2019 through to at least February 2024, during which time the group became the “most active and destructive ransomware group in the world”.
The LockBit group is said to have attacked over 2,500 victims across 120 countries, targeting 1,800 organizations in the US.
The notice also stated the group is believed to have generated at least $500 million in ransom payments, as well as causing billions of dollars in damage through lost revenue and costs associated with incident response and recovery.
At the time of Panev’s arrest in Israel in August, law enforcement said it discovered administrator credentials for an online repository hosted on the dark web on Panev’s computer.
The repository held source code for a number of different versions of LockBit builder, which allowed affiliates to create specific variants of the ransomware to target particular organizations.
It also included source code for the StealBit tool, which affiliates used to exfiltrate data during their attacks, as well as access credentials for the LockBit control panel.
Final blow for floundering LockBit?
This marks the seventh suspected LockBit member previously identified and charged by US law enforcement.
In February 2024, a joint operation with the FBI, NCA, and other international partners was able to take control of LockBit’s infrastructure and infiltrate the criminal network.
At the time, experts warned that this would not be the end of the group, predicting the collective would be able to recover using backups and ramp up their activities later in the year.
The group had been running at “limited capacity” since then, according to the NCA. Dmitry Khoroshev, the supposed leader of the group known as LockBitSupp, was identified in May 2024, with a $10 million award announced for any information leading to his arrest and conviction.
Khoroshev’s arrest was described as “another nail in the LockBit coffin” and Panev’s arrest proves the continued success of law enforcement operations against the notorious group.
Jeremy Kenelly, senior principal analyst, financial crime analysis at Google Cloud’s Mandiant threat intelligence team, described LockBit’s dominance over the digital extortion industry over recent years.
“For three years, LockBit reigned as the undisputed, and most prolific ransomware family used by cyber criminals. Throughout this time the service operators and developers supporting LockBit continually released new tools and capabilities enabling their affiliates to disrupt countless international businesses and extract enormous ransom payments.”
Kenelly noted that the arrest is just the latest of a continued effort from law enforcement against the group.
“The arrest and extradition of Rostislav Panev follows months of infrastructure disruptions, indictments, sanctions and arrests targeting the LockBit ransomware service, its operators, and affiliates using the platform to support their ransomware operations,” he explained.
“These international law enforcement efforts to disrupt LockBit have proven incredibly effective at dismantling and discrediting the brand; the volume of ransomware intrusions associated with the service has dropped precipitously since the summer of 2024.”
He added that while LockBit affiliates will simply move on to other ransomware collectives, the importance of successful operations against digital extortion groups should not be discounted.
“Although intrusion operators previously affiliated with LockBit have, in many cases, likely just shifted to work with other services, these continued efforts are critical to ensuring that ransomware and extortion are seen as crimes for which there are consequences.”
Source link