U.S. Charges Alleged LockBit Ransomware Developer

The U.S. on Friday announced charges against a dual Russian and Israeli national for his alleged role as a developer of the infamous LockBit ransomware group. The individual, Rostislav Panev, 51, was first arrested in Israel in August, where he currently remains in custody pending extradition to the U.S. 

Key Details: 

• Panev allegedly acted as a developer of the LockBit ransomware group between its inception in 2019 through at least February 2024

• Law enforcement found administrative credentials on Panev’s computer for an online repository hosted on the dark web, which stored source code for LockBit builder versions and a LockBit tool aimed at helping affiliates exfiltrate data, and access credentials for the LockBit control panel 

• LockBit members extracted at least $500 million in ransom payments, and caused billions of dollars in other losses

The Background: The DoJ’s announcement shed light on the behind-the-scenes operations of the LockBit group and pointed to Panev’s broader role within the group. Panev worked to design the LockBit malware code and maintain its infrastructure, in contrast to other members - affiliates - that were more connected with carrying out LockBit attacks and extorting ransom payments from victims.

The DoJ found direct messages from Panev to LockBit’s primary administrator (Dimitry Yuryevich Khoroshe, also known as LockBitSupp), where they discussed work that needed to be done on the LockBit builder and control panel. The DoJ also outlined a series of cryptocurrency payments made from the LockBit admin to a cryptocurrency wallet owned by Panev. These payments were around $10,000 a month and amounted to over $230,000 between 2022 and 2024.

“Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network,” according to the DoJ release. “Panev also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.”

Why It Matters: The LockBit ransomware group is behind many high-profile and destructive cyberattacks, targeting more than 2,500 victims across at least 120 countries (including 1,800 in the U.S.). The group’s victims have included hospitals, schools, critical infrastructure and government agencies. 

The U.S. government has come down hard in its targeting of the group, and Panev is the seventh individual to be charged in affiliation with LockBit. Other identified members include Dmitry Yuryevich Khoroshev, the group’s primary creator, developer and administrator, who remains at large; two affiliate members (Mikhail Vasiliev and Ruslan Astamirov), who have pleaded guilty for their participation in LockBit attacks; Russian nationals Artur Sungatov and Ivan Kondratyev, who deployed the ransomware to many victims and remain at large; and Mikhail Matveev, who also utilized the ransomware. Several recent reports have said Matveev was arrested in Russia earlier this month; in its Friday release, the DoJ said Matveev remains at large. 

The DoJ is also encouraging LockBit victims to contact the FBI. In February, the agency developed decryption capabilities to help victims restore systems that had been encrypted by LockBit.