The US Department of Justice (DoJ) is offering a reward of up to $10 million for information leading to the arrest of a notorious ransomware criminal.
The suspect, Volodymyr Viktorovych Tymoshchuk, is believed to be a leading figure in an organized crime network responsible for the 2019 ransomware attack against a major Norwegian aluminum company, as well as a series of other global cyber attacks.
"The fugitive is wanted by several countries and is considered a top priority target for international law enforcement," said Europol, which has added Tymoshchuk to its EU Most Wanted list.
The 28-year-old Ukrainian national has a series of aliases – Deadforz, Boba, Farnetwork, Msfv, and Volotmsk – and is wanted for computer-related crimes, participation in a criminal organization, and racketeering and extortion.
Between 2018 and 2020, Tymoshchuk and his accomplices took part in the deployment of the LockerGoga ransomware against hundreds of companies, disrupting operations and demanding a ransom.
The group's activities caused more than $18 billion in damage worldwide, Europol said.
“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” said US acting assistant attorney General Galeotti.
“In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored."
The international investigation has already led to the arrest of several other members of the criminal network in Ukraine.
According to the DoJ, law enforcement agencies have since mapped the structure of the group, identifying actors at every level – from malware developers and intrusion specialists to the money launderers responsible for handling the illicit proceeds.
The DoJ is also offering a separate reward of up to $1 million for information leading to the “arrest and/or convictions of other key leaders”.
Global damages range in the tens of billions
The group is believed to have carried out attacks against organizations in 71 countries, specifically targeting large corporations and deploying MegaCortex, Nefilim, HIVE, and Dharma ransomware, as well as LockerGoga.
Attacks took place through techniques including brute force attacks, SQL injections, and sending phishing emails with malicious attachments in order to steal usernames and passwords.
Once inside a network, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike, and PowerShell Empire to compromise as many systems as possible before triggering ransomware attacks.
They are believed to have encrypted more than 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.
Who is Volodymyr Viktorovych Tymoshchuk?
Between July 2020 and October 2021, Tymoshchuk was one of the administrators of Nefilim ransomware, a ransomware as a service (RaaS) enterprise that provided tools to affiliates in return for a percentage of the extortionate payments they collected.
Nefilim ransom notes typically threatened the victims that, unless they paid up, the stolen data would be published on the group's publicly accessible Corporate Leaks websites.
“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said Joseph Nocella, US attorney for the Eastern District of New York.
“For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
- Ransomware victims are refusing to play ball with hackers
- A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
