Full Report
The U.S. has succeeded in extraditing a suspected LockBit ransomware developer who was arrested last year. Rostislav Panev, 51, a dual Russian and Israeli national, was arrested last year in Israel on a U.S. provisional arrest request. The U.S. Department of Justice (DOJ) announced yesterday that Panev has been extradited to the U.S. on charges that he was a developer for the LockBit ransomware group. Following an initial court appearance before U.S. Magistrate Judge André M. Espinosa, Panev was detained pending trial. “Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice,” U.S. Attorney John Giordano said in a statement. “Even as the means and methods of cybercriminals become more sophisticated, my Office and our FBI, Criminal Division, and international law enforcement partners are more committed than ever to prosecuting these criminals.” Panev’s extradition comes as the LockBit ransomware group tries to relaunch following a year of international law enforcement efforts. LockBit Ransomware Developer Worked for Group Since Launch According to court documents and statements, Panev was a developer of the LockBit ransomware group from its inception around 2019 through at least February 2024. “During that time, Panev and his LockBit coconspirators grew LockBit into what was, at times, the most active and destructive ransomware group in the world,” the DOJ statement said. The LockBit group claimed more than 2,500 victims in at least 120 countries, including 1,800 in the U.S., the DOJ said. According to Cyble data, Lockbit has been by far the most active ransomware group in recent years. Even after a year of reduced activity, the group’s 2,700+ victims are still triple the total of the next nearest group, the CL0P ransomware group. However, one attack in particular was ill-advised, a 2022 attack on the Toronto Hospital for Sick Children, which led to an apology from LockBit along with a free decryptor – and increased law enforcement attention. LockBit extracted at least $500 million in ransom payments from victims and caused billions of dollars in other losses, the DOJ said. LockBit members were comprised of “developers” like Panev, who designed the LockBit malware code and maintained operational infrastructure, and “affiliates,” who carried out attacks and extorted victims. They split the ransom payments. Panev Evidence Cited A superseding complaint alleges that at the time of Panev’s arrest last August, law enforcement found on his computer the administrator credentials for an online repository that was hosted on the dark web and contained source code for multiple versions of the LockBit builder, which allowed affiliates to generate custom builds for particular victims. The repository also contained source code for LockBit’s StealBit tool, which was used for exfiltration, the DOJ said, adding that law enforcement also discovered access credentials for the LockBit control panel maintained by the developers for affiliates. The complaint also alleges that Panev “exchanged direct messages through a cybercriminal forum with LockBit’s primary administrator,” alleged by the U.S. to be Dmitry Yuryevich Khoroshev, also known as LockBitSupp, LockBit, and putinkrab. Those messages discussed work that needed to be done on the LockBit builder and control panel. Between June 2022 and February 2024, the U.S. claims that the primary LockBit administrator “made a series of transfers of cryptocurrency, laundered through one or more illicit cryptocurrency mixing services, of approximately $10,000 per month to a cryptocurrency wallet owned by Panev. Those transfers amounted to over $230,000 during that period.” The DOJ said that in interviews with Israeli authorities following his arrest, “Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by U.S. authorities.” That work allegedly included code to disable antivirus software, to deploy malware to multiple computers connected to a victim network, and to print the LockBit ransom note to all printers connected to a victim network. The U.S. says Panev “also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.” Seven LockBit members have now been charged in the District of New Jersey, according to the DOJ. Beyond Panev and Khoroshev, who remains at large, other previously charged LockBit suspects include: Affiliates Mikhail Vasiliev, also known as Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110, and Ruslan Astamirov, also known as BETTERPAY, offtitan, and Eastfarmer, who pled guilty and are awaiting sentencing. Affiliates Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, have also been charged and remain at large, as has Mikhail Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar. Rewards of up to $10 million have been offered for the at-large suspects.
Analysis Summary
# Threat Actor: LockBit Ransomware Group (Focus on Alleged Developer "Panev")
## Attribution & Identity
The primary focus is on the extradition of an alleged developer connected to the **LockBit Ransomware Group**. This individual is identified as **Panev** (full name redacted in the provided text but implied via DOJ context). LockBit is a highly active Ransomware-as-a-Service (RaaS) operation. Seven members of LockBit have been charged by the U.S. Department of Justice (DOJ) in the District of New Jersey.
**Known Aliases and Associated Groups (Other Charged Members):**
* **Khoroshev** (Remains at large)
* **Mikhail Vasiliev** (Aliases: Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, Newwave110) - Affiliate
* **Ruslan Astamirov** (Aliases: BETTERPAY, offtitan, Eastfarmer) - Affiliate (Pled guilty)
* **Artur Sungatov** - Charged, at large
* **Ivan Kondratyev** (Alias: Bassterlord) - Charged, at large
* **Mikhail Matveev** (Aliases: Wazawaka, m1x, Boriselcin, Uhodiransomwar) - At large
## Activity Summary
The article focuses on legal actions against the developers and affiliates of the LockBit ransomware operation, indicating ongoing disruptive activity by the group globally. The specific activity highlighted involves the extradition of Panev, who cooperated with Israeli authorities post-arrest, detailing his development work for the group and admitting to receiving regular cryptocurrency payments.
## Tactics, Techniques & Procedures
Specific TTPs attributed to the work of the alleged developer, Panev:
* Coding, development, and consulting work for the LockBit group.
* Developing code used to **disable antivirus software** on victim machines.
* Developing code to **deploy malware to multiple computers** connected to a victim network.
* Developing code to **print the LockBit ransom note to all printers** connected to a victim network.
* Writing and maintaining the core **LockBit malware code**.
* Providing **technical guidance** to the LockBit group.
* (MITRE ATT&CK IDs were not present in the provided text.)
## Targeting
* **Sectors:** Not explicitly named in the provided snippet, but LockBit classically targets diverse sectors heavily impacting business operations. The mention of a data breach impacting **FIIG Securities** suggests the financial sector is a potential victim category.
* **Geography:** Actions against Panev were handled by Israeli and U.S. authorities, suggesting the operational reach is international.
* **Victims:** **FIIG Securities** is mentioned indirectly in the context of general cybersecurity news, but no specific LockBit victims are detailed in the provided text snippet related to Panev's extradition.
## Tools & Infrastructure
* **Malware families used:** **LockBit Ransomware** is the core tool.
* **Infrastructure (C2, domains, IPs):** The text mentions Panev receiving payments in **cryptocurrency** via a wallet owned by Panev, indicating reliance on crypto for payment processing. Defanged infrastructure details were not provided.
## Implications
The extradition and charging of LockBit developers and affiliates signify a significant, coordinated international law enforcement effort (led by the DOJ) to dismantle the LockBit RaaS infrastructure. This suggests operational disruption to the group's development capability and high-level affiliates. The significant rewards offered ($10 million USD) for at-large suspects show continued high priority in capturing key figures.
## Mitigations
While the article focuses on legal action, effective defensive measures against LockBit and similar RaaS groups generally require:
* Robust endpoint protection capable of standing up to malware designed to **disable antivirus software**.
* Strict network segmentation to limit the lateral movement of deployed malware.
* Securing all network-attached devices, including printers, to prevent unauthorized use during an intrusion.
* Proactive monitoring for cryptocurrency transactions linked to known threat actor wallets (if available).