US charges suspected LockBit ransomware developer
The US Department of Justice has unsealed charges against Rostislav Panev, 51, a dual Russian and Israeli national, suspected of being a developer for the LockBit ransomware group.
Panev was arrested in August 2024 and is currently in custody in Israel pending extradition.
The charges
“According to the superseding complaint, documents filed in this and related cases, and statements made in court, Panev acted as a developer of the LockBit ransomware group from its inception in or around 2019 through at least February 2024,” the US DoJ says.
“During that time, Panev and his LockBit coconspirators grew LockBit into what was, at times, the most active and destructive ransomware group in the world.”
Panev is charged for being a core member of the LockBit ransomware-as-a-service outfit, designing the LockBit malware code and maintaining the infrastructure on which LockBit operated.
The criminal complaint says that at the time of Panev’s arrest, Israeli law enforcement found on his computer:
- Administrator credentials for a dark web online repository, where source code for multiple versions of the LockBit builder were stored, along with source code for LockBit’s StealBit data exfiltration tool
- Access credentials for the LockBit control panel, an online dashboard maintained by LockBit developers for LockBit’s affiliates
The complaint also alleges that Panev was in contact with Lockbit’s alleged primary administrator- Dimitry Yuryevich Khoroshev, aka LockBitSupp – and discussed work that needed to be done on the LockBit builder and control panel.
“In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by U.S. authorities,” the DoJ added.
“Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network. Panev also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.”
Panev faces 41 counts, including conspiracy to commit fraud and wire fraud, intentional damage to a protected computer computer, and extortion.
LockBit victims and arrests of affiliates
The LockBit group and its affiliates attacked 2,500+ victims (both individuals and organizations) around the world, the DoJ says. 1,800 of those victims are located in the US.
The criminal complaint holds details about the impact of the attacks on some of the (unnamed) victims, including “Victim-12, a major financial institution based in China with operations in New York and New Jersey” that’s probably the Industrial and Commercial Bank of China (ICBC), which was hit by LockBit in 2023.
That specific victim organization ended up paying a ransom of approximately $449,075, according to the complaint, and the LockBit gang previously claimed that ICBC paid the ransom.
“Victim-11, a multinational aeronautical and defense corporation headquartered in Virginia” that was hit in late October 2023 and did not pay the ransom is likely Boeing.
All in all, the DoJ estimates that “LockBit’s members extracted at least $500 million in ransom payments from their victims and caused billions of dollars in other losses, including lost revenue and costs from incident response and recovery.”
LockBit’s operations were disrupted by an international law enforcement task force in February 2024.
A number of suspected LockBit affiliates have been arrested, charged and/or sentenced since then, and they group’s suspected leader was unmasked in May.