Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million reward

Police mugshot concept image showing silhouette of a man with back to wall.

(Image credit: Getty Images)

The US Department of Justice (DoJ) is offering a reward of up to $10 million for information leading to the arrest of a notorious ransomware criminal.

The suspect, Volodymyr Viktorovych Tymoshchuk, is believed to be a leading figure in an organized crime network responsible for the 2019 ransomware attack against a major Norwegian aluminum company, as well as a series of other global cyber attacks.

"The fugitive is wanted by several countries and is considered a top priority target for international law enforcement," said Europol, which has added Tymoshchuk to its EU Most Wanted list.

The 28-year-old Ukrainian national has a series of aliases – Deadforz, Boba, Farnetwork, Msfv, and Volotmsk – and is wanted for computer-related crimes, participation in a criminal organization, and racketeering and extortion.

Between 2018 and 2020, Tymoshchuk and his accomplices took part in the deployment of the LockerGoga ransomware against hundreds of companies, disrupting operations and demanding a ransom.

The group's activities caused more than $18 billion in damage worldwide, Europol said.

“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” said US acting assistant attorney General Galeotti.

“In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored."

The international investigation has already led to the arrest of several other members of the criminal network in Ukraine.

According to the DoJ, law enforcement agencies have since mapped the structure of the group, identifying actors at every level – from malware developers and intrusion specialists to the money launderers responsible for handling the illicit proceeds.

The DoJ is also offering a separate reward of up to $1 million for information leading to the “arrest and/or convictions of other key leaders”.

Global damages range in the tens of billions

The group is believed to have carried out attacks against organizations in 71 countries, specifically targeting large corporations and deploying MegaCortex, Nefilim, HIVE, and Dharma ransomware, as well as LockerGoga.

Attacks took place through techniques including brute force attacks, SQL injections, and sending phishing emails with malicious attachments in order to steal usernames and passwords.

Once inside a network, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike, and PowerShell Empire to compromise as many systems as possible before triggering ransomware attacks.

They are believed to have encrypted more than 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.

Who is Volodymyr Viktorovych Tymoshchuk?

Between July 2020 and October 2021, Tymoshchuk was one of the administrators of Nefilim ransomware, a ransomware as a service (RaaS) enterprise that provided tools to affiliates in return for a percentage of the extortionate payments they collected.

Nefilim ransom notes typically threatened the victims that, unless they paid up, the stolen data would be published on the group's publicly accessible Corporate Leaks websites.

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said Joseph Nocella, US attorney for the Eastern District of New York.

“For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.