Full Report
Rostislav Panev is facing 40 counts for allegedly working for the cybercrime group as a software developer from 2019 up until February 2024 — the same month that law enforcement disrupted the LockBit scheme by seizing its darknet website and infrastructure.
Analysis Summary
# Threat Actor: Rostislav Panev (LockBit Associate)
## Attribution & Identity
* **Identification:** Rostislav Panev, a 51-year-old dual Russian and Israeli national.
* **Known Aliases/Associations:** Identified as a software developer for the LockBit ransomware group. His handle on a decentralized messaging platform included "FUCKFBI" followed by other characters. He was linked to a moniker used on a darknet cybercrime forum.
* **Associated Groups:** LockBit ransomware group.
## Activity Summary
Panev is accused of working as a software developer for LockBit from 2019 until February 2024, when law enforcement disrupted the group's infrastructure. He was recently detained in Israel, and the U.S. is seeking his extradition on 40 counts, including computer damage and extortion. Panev admitted to performing "multiple coding jobs for LockBit in exchange for compensation," totaling at least approximately $230,000, paid monthly (around $10,000) in cryptocurrency.
## Tactics, Techniques & Procedures
* Developing code for multiple LockBit builders (the custom software used to generate the ransomware).
* Writing code to disable Windows Defender antivirus.
* Writing code to propagate additional code throughout a compromised network via Windows Active Directory.
* Writing code to print a specified text (presumably the ransom note) on all printers across a network.
* Providing technical assistance and writing code for encryption malware.
* Utilizing private Git repositories (hosted on a .onion domain) for collaborative software development projects.
* Gaining access to the LockBit control panel, which requires a vetting process for access.
* Communicating via an unidentified decentralized, end-to-end encrypted messaging platform.
## Targeting
* **Sectors:** General cybercrime operations targeting organizations susceptible to ransomware infection.
* **Geography:** Activities spanned globally, given LockBit’s status as the "most damaging ransomware group in the world." Panev is currently detained in Israel, and has ties to Russia.
* **Victims:** Ransomware victims targeted by the LockBit operation. Specific organizations were not detailed in this summary.
## Tools & Infrastructure
* **Malware Families Used:** LockBit ransomware builders and encryption malware.
* **Infrastructure (C2, domains, IPs):**
* A .onion domain hosting a Git repository used for development.
* Access to the LockBit control panel.
## Implications
The arrest reaffirms the success of international law enforcement actions against the LockBit ecosystem, following the group's infrastructure takedown earlier in the year. Panev's role as a core developer highlights threats originating from specialized technical support within major ransomware operations. The DoJ views this case as a model for future ransomware investigations.
## Mitigations
* Implement robust endpoint protection, including strict configuration or disabling of Windows Defender, as custom code was developed to bypass it.
* Apply strong network segmentation and monitor for lateral movement activity via Windows Active Directory.
* Ensure printer security configurations are hardened to prevent unauthorized output/printing of sensitive materials.
* Monitor for access to specialized developer collaboration tools (like Git) if they are hosted internally or accessed from unusual locations/protocols, especially if associated with suspected threat actor infrastructure.