Full Report
A 51-year-old dual Russian and Israeli national who is alleged to be a developer of the LockBit ransomware group has been extradited to the United States, nearly three months after he was formally charged in connection with the e-crime scheme. Rostislav Panev was previously arrested in Israel in August 2024. He is said to have been working as a developer for the ransomware gang from 2019
Analysis Summary
# Threat Actor: LockBit Ransomware Group (Developer Rostislav Panev)
## Attribution & Identity
The primary focus is on **Rostislav Panev**, a 51-year-old dual Russian and Israeli national, alleged to be a developer for the LockBit ransomware group. Panev was arrested in Israel in August 2024 and extradited to the U.S. in March 2025.
Known Aliases and Associated Groups:
* **Group:** LockBit ransomware syndicate.
* **Associated Members Charged:** Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, Mikhail Pavlovich Matveev, and Dmitry Yuryevich Khoroshev (LockBitSupp/Administrator).
## Activity Summary
Rostislav Panev allegedly worked as a developer for LockBit from 2019 until February 2024, when law enforcement seized the operation's infrastructure. LockBit is characterized as one of the most prolific ransomware groups globally.
* **Historical Campaign Scope:** Attacked over 2,500 entities across at least 120 countries.
* **Financial Impact:** Netted at least $500 million in illicit profits, causing billions in losses to victims.
* **Panev's Development Period Earnings:** Approximately $230,000 between June 2022 and February 2024.
* **Recent Status:** LockBit's online infrastructure was seized in a law enforcement exercise in February 2024. Panev was extradited to the U.S. in March 2025.
## Tactics, Techniques & Procedures
The article details the specific development work Panev admitted to completing for the group:
* Development of code to **disable antivirus software**.
* Development of code to **deploy malware to multiple computers** connected to a victim network.
* Development of code to **print the LockBit ransom note** to all printers connected to a victim network.
* Writing and maintaining the core **LockBit malware codebase**.
* Providing **technical guidance** to the LockBit group.
* *Note: Specific MITRE ATT&CK IDs were not provided in the text.*
## Targeting
* **Sectors:** Individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.
* **Geography:** Attacks occurred in at least 120 countries globally.
* **Victims:** Nearly 1,800 victims were located in the United States.
## Tools & Infrastructure
* **Malware families used:** LockBit ransomware (codebase maintenance/development).
* **Infrastructure (C2, domains, IPs):** Not specified in detail, only mention of the operation's infrastructure being seized by law enforcement.
## Implications
The successful extradition and charging of a recognized developer like Panev signal a significant, sustained commitment by U.S. law enforcement (specifically the USAO-NJ) to dismantle major ransomware syndicates like LockBit, even targeting individuals residing abroad. This raises the risk assessment for all remaining developers, affiliates, and administrators associated with this and similar Ransomware-as-a-Service (RaaS) operations.
## Mitigations
* **General Ransomware Defense:** Given the actor's focus on disabling security tools and lateral movement/deployment, organizations must maintain robust endpoint protection, especially defenses capable of detecting and blocking malware execution and configuration changes.
* **Printing/Note Deployment:** Implement controls to restrict unauthorized printing or ensure rapid detection/containment if mass printing of unauthorized documents occurs on network-connected printers.
* **Attribution & Sanctions:** Organizations should monitor OFAC sanctions lists, as several key LockBit members have been sanctioned.