Russian-Israeli National Faces 41-Count Indictment for LockBit Development
A dual Russian and Israeli national alleged to have been a developer for the infamous LockBit ransomware group has been charged by the U.S. Department of Justice in a 41-count indictment. Rostislav Panev, 51, a resident of Haifa in Israel, was arrested by Israeli authorities in August 2024. An analysis of Penev’s computer revealed he had credentials for a dark web repository containing the source code of several different versions of the LockBit builder, used by affiliates of the Ransomware-a-s-a-Service (RaaS) operation to create custom versions of the LockBit encryptor. The repository also contained leaked Conti ransomware source code and tools used by LockBit affiliates, including StealBit, a tool for exfiltrating data from victims’ networks. The computer also contained credentials for the LockBit control panel.
The U.S. Department of Justice alleges Panev was a developer of LockBit ransomware since the group emerged in 2019 and maintained the ransomware group’s infrastructure, including tools used by affiliates to disable anti-virus software, deploy malware across victims’ networks, and print ransom notes on all printers connected to victims’ networks. In addition to development work on the LockBit builder and admin panel, Panev is alleged to have engaged in consultancy work for the group and provided technical guidance. Panev engaged in direct communications with the ransomware group’s administrator, Russian national Dmitry Yurevich Khoroshev (aka LockBitSupp). Khoroshev transferred $230,000 of laundered funds to a cryptocurrency wallet held by Panev between 2022 and 2024 as payment for his work, in transfers of approximately $10,000 per month. Panev admitted to Israeli officials that he received payment for coding, development, and consulting work for LockBit.
For several years, LockBit has been one of the most prolific ransomware groups, conducting over 2,500 ransomware attacks in more than 120 countries since 2019, including many attacks on healthcare organzizations. The group is believed to have generated more than $500 million in ransom payments. An international law enforcement operation – Operation Cronos – in February 2024 resulted in the seizure of LockBit infrastructure, including the decryption keys for around 7,000 victims. LockBit was able to quickly recover and remains active, although attacks have been conducted at a lower level since the infrastructure takedown. The LockBit group recently hinted about the release of a new encryptor, LockBit 4.0.
Panev faces one count of conspiracy to commit fraud and related activity in connection with computers for his role in developing tools used by others to intentionally cause damage to a protected computer without authorization, and one count of conspiracy to commit wire fraud for knowingly conspiring with and agreeing with others a scheme to defraud victims. 13 of the 41 counts concern intentional damage to a protected computer related to ransomware attacks on 13 victims in the United States between October 2021 and May 2024, 13 counts of extortion in relation to information unlawfully obtained from a protected computer, and 13 counts of extortion in relation to intentional damage to a protected computer.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Department of Justice has now charged 7 LockBit members, including the group’s administrator Khoroshev, and three of those individuals have been arrested. Khoroshev is believed to reside in Russia beyond the reach of Western law enforcement. The U.S. International Department of the State Attorney’s Office in Israel has reportedly petitioned the Jerusalem District Court to agree to extradite Panev to the United States to face trial in the District of New Jersey.
