The US Department of State is offering up to $11 million for information leading to the arrest of Volodymyr Tymoshchuk, accused of deploying ransomware that targeted hospitals, companies, and major industrial firms


US federal prosecutors have unsealed a superseding indictment charging a Ukrainian national for his alleged role in international ransomware schemes that targeted hundreds of organizations, including healthcare institutions.

The indictment charges Volodymyr Tymoshchuk with deploying the LockerGoga, MegaCortex, and Nefilim ransomware variants between December 2018 and October 2021. The attacks encrypted computer networks and caused tens of millions of dollars in losses from system damage and ransom payments across the US, France, Germany, and other countries, according to a release from the US Attorney’s Office, Eastern District of New York. Tymoshchuk is not currently in US custody.

The attacks allegedly resulted in the complete disruption of business operations for some victims until their data could be recovered. The US Department of State’s Transnational Organized Crime (TOC) Rewards Program is now offering a reward of up to $11 million for information leading to Tymoshchuk’s arrest or conviction.

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” says Joseph Nocella, Jr, United States attorney for the Eastern District of New York, in a release. “Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

Attack Methods and Technical Details

According to the indictment, the conspirators gained initial access to victim networks through various methods, including using hacking tools to find security vulnerabilities, conducting brute-force password cracking attacks, and purchasing compromised network credentials. Once inside, they used other tools to move laterally across systems and escalate their administrative privileges.

After establishing sufficient access, the attackers deployed either LockerGoga or MegaCortex ransomware to encrypt files. Between July 2019 and June 2020, the group allegedly compromised the networks of more than 250 companies in the US alone. In September 2022, decryption keys for these two ransomware strains were made publicly available through the “No More Ransomware Project,” allowing some victims to recover their data.

Ransomware-as-a-Service and Data Exfiltration

From approximately July 2020 to October 2021, Tymoshchuk allegedly acted as an administrator for Nefilim ransomware, which operated as a “ransomware as a service” enterprise. This model provided ransomware tools to affiliates in exchange for a percentage of the extortion payments collected.

With the Nefilim variant, the attackers also stole data before encrypting the network. Ransom notes threatened to publish the stolen data on publicly accessible “Corporate Leaks” websites if the victims did not pay. According to prosecutors, Tymoshchuk preferred to target companies in the US, Canada, or Australia with annual revenues exceeding $100 million.

“The criminals behind Nefilim ransomware may believe they can profit from extortion and data leaks, but they are wrong,” says Christopher JS Johnson, special agent in charge at the Federal Bureau of Investigation (FBI) Springfield, Illinois Field Office, in a release. “The FBI is actively pursuing them to disrupt their operations and bring them to justice. We urge all organizations to report these attacks immediately—because every report helps us dismantle these networks and ensure cybercriminals are held accountable.”

ID 47922370 © Woraphon Banchobdi | Dreamstime.com

We Recommend for You: