Full Report
A dual Russian and Israeli national has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation since its inception in or around 2019 through at least February 2024. Rostislav Panev, 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a
Analysis Summary
# Threat Actor: LockBit Ransomware Operation (Developer focus: Rostislav Panev)
## Attribution & Identity
The focus is on **Rostislav Panev**, a 51-year-old dual Russian and Israeli national, identified as the developer of the LockBit Ransomware-as-a-Service (RaaS) operation since its inception around 2019 until at least February 2024. Panev was arrested in Israel in August awaiting extradition. He is accused of building and maintaining the digital weapons for the LockBit group, communicating with primary administrator **Dmitry Yuryevich Khoroshev** (alias **LockBitSupp**).
Known Aliases/Associated Groups:
* **LockBit:** Ransomware-as-a-Service (RaaS) group.
* **Associated Members Charged in US:** Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, Mikhail Pavlovich Matveev.
## Activity Summary
LockBit was one of the most prolific ransomware groups globally until its infrastructure was seized in February 2024 as part of the international law enforcement operation **Cronos**. The group targeted over 2,500 entities across at least 120 countries, allegedly netting at least $500 million in illicit profits. Panev allegedly earned approximately $230,000 between June 2022 and February 2024 from fund transfers. Despite recent setbacks, LockBit operators are reportedly planning a comeback with a new version, **LockBit 4.0**, scheduled for release in February 2025.
## Tactics, Techniques & Procedures
Panev's role involved coding, development, and technical guidance for the group. TTPs related to his development work include:
* Developing code to **disable antivirus software**.
* Developing code to **deploy malware** to multiple computers on a victim network.
* Developing code to **print the LockBit ransom note** to all connected printers on a victim network.
* Use of the **StealBit** tool by affiliates to **exfiltrate sensitive data** prior to encryption.
## Targeting
* Sectors: Hospitals, schools, non-profit organizations, critical infrastructure, government agencies, law enforcement agencies, multinational corporations, individuals, and small businesses.
* Geography: At least 120 countries globally.
* Victims: Over 2,500 entities, including 1,800 in the U.S. alone.
## Tools & Infrastructure
* **Malware families used:** LockBit ransomware (multiple builder versions).
* **Tools developed/maintained:** LockBit builder, LockBit control panel, StealBit (exfiltration tool).
* **Infrastructure:** Administrator credentials found for a dark web hosted online repository containing LockBit source code.
## Implications
Panev's arrest represents a significant blow to the continuous operation and development of the LockBit RaaS, as he was responsible for maintaining the core malware infrastructure. However, the reported plans for LockBit 4.0 suggest the core administrators are resilient and attempting to relaunch, indicating that the threat, while suppressed, is not neutralized.
## Mitigations
* Maintain robust endpoint detection and response capabilities capable of detecting and blocking newly developed malware strains.
* Ensure strong network segmentation to limit lateral movement should an initial compromise occur.
* Review and restrict printer permissions to prevent unauthorized printing of ransom notes across the network.
* Implement data exfiltration monitoring to detect activity associated with tools like StealBit.