Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million reward
Volodymyr Viktorovych Tymoshchuk is believed to have been behind hundreds of attacks
The US Department of Justice (DoJ) is offering a reward of up to $10 million for information leading to the arrest of a notorious ransomware criminal.
The suspect, Volodymyr Viktorovych Tymoshchuk, is believed to be a leading figure in an organized crime network responsible for the 2019 ransomware attack against a major Norwegian aluminum company, as well as a series of other global cyber attacks.
"The fugitive is wanted by several countries and is considered a top priority target for international law enforcement," said Europol, which has added Tymoshchuk to its EU Most Wanted list.
The 28-year-old Ukrainian national has a series of aliases – Deadforz, Boba, Farnetwork, Msfv, and Volotmsk – and is wanted for computer-related crimes, participation in a criminal organization, and racketeering and extortion.
Between 2018 and 2020, Tymoshchuk and his accomplices took part in the deployment of the LockerGoga ransomware against hundreds of companies, disrupting operations and demanding a ransom.
The group's activities caused more than $18 billion in damage worldwide, Europol said.
“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” said US acting assistant attorney General Galeotti.
“In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored."
The international investigation has already led to the arrest of several other members of the criminal network in Ukraine.
According to the DoJ, law enforcement agencies have since mapped the structure of the group, identifying actors at every level – from malware developers and intrusion specialists to the money launderers responsible for handling the illicit proceeds.
The DoJ is also offering a separate reward of up to $1 million for information leading to the “arrest and/or convictions of other key leaders”.
Global damages range in the tens of billions
The group is believed to have carried out attacks against organizations in 71 countries, specifically targeting large corporations and deploying MegaCortex, Nefilim, HIVE, and Dharma ransomware, as well as LockerGoga.
Attacks took place through techniques including brute force attacks, SQL injections, and sending phishing emails with malicious attachments in order to steal usernames and passwords.
Once inside a network, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike, and PowerShell Empire to compromise as many systems as possible before triggering ransomware attacks.
They are believed to have encrypted more than 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.
Who is Volodymyr Viktorovych Tymoshchuk?
Between July 2020 and October 2021, Tymoshchuk was one of the administrators of Nefilim ransomware, a ransomware as a service (RaaS) enterprise that provided tools to affiliates in return for a percentage of the extortionate payments they collected.
Nefilim ransom notes typically threatened the victims that, unless they paid up, the stolen data would be published on the group's publicly accessible Corporate Leaks websites.
“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said Joseph Nocella, US attorney for the Eastern District of New York.
“For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
- Ransomware victims are refusing to play ball with hackers
- A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims
-
Salesforce targets telco gains with new agentic AI toolsNews Telecoms operators can draw on an array of pre-built agents to automate and streamline tasks
-
Four national compute resources launched for cutting-edge science and researchNews The new national compute centers will receive a total of £76 million in funding
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoingNews Thousands of attacker servers all had the same autogenerated Windows hostnames, according to Sophos
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
