Earlier today, the U.S. District Court for the Eastern District of New York unsealed a superseding indictment charging Volodymyr Viktorovich Tymoshchuk — also known as deadforz, Boba, msfv, and farnetwork — a Ukrainian national, with serving as an administrator in the LockerGoga, MegaCortex, and Nefilim ransomware schemes.
“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored. This prosecution and today’s rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible, no matter where they are located.”
“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York. “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”
“Volodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims,” said Assistant Director in Charge Christopher G. Raia of the FBI New York Field Office. “Today’s announcement should serve as warning, cyber criminals may believe they act with impunity while conducting harmful cyber intrusions, but law enforcement is onto you and will hold you accountable. The FBI along with our law enforcement partners will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crime.”
“The criminals behind Nefilim ransomware may believe they can profit from extortion and data leaks, but they are wrong,” said Special Agent in Charge Christopher J. S. Johnson of the FBI’s Springfield Field Office. “The FBI is actively pursuing them to disrupt their operations and bring them to justice. We urge all organizations to report these attacks immediately — because every report helps us dismantle these networks and ensure cybercriminals are held accountable.”
As alleged in the superseding indictment, between December 2018 and October 2021, Tymoshchuk used the LockerGoga, MegaCortex, and Nefilim ransomware variants to encrypt computer networks in countries around the world, including in the Eastern District of New York, elsewhere in the United States, France, Germany, the Netherlands, Norway, and Switzerland. These ransomware attacks caused millions of dollars of losses, including damage to victim computer systems, remediation costs, and ransomware payments to the perpetrators. In these attacks, the perpetrators typically customized the ransomware executable file (the ransomware file responsible for encryption) for each ransomware victim. The customization allowed the ransomware actors to create a decryption key that could only decrypt the network of the specific victim. If a victim paid the ransom demand, the perpetrators would send a decryption tool, which enabled the victim to decrypt the computer files locked by the ransomware program.
Between July 2019 and June 2020, Tymoshchuk and his co‑conspirators are alleged to have compromised the networks of more than 250 victim companies in the United States and hundreds of other companies around the world with LockerGoga and MegaCortex. However, many of these extortion attempts were unsuccessful because law enforcement often notified victims that their networks had been compromised before Tymoshchuk and his co-conspirators were able to deploy the ransomware. Subsequently, from July 2020 through October 2021, Tymoshchuk is alleged to have been one of the administrators of the Nefilim ransomware strain. Tymoshchuk and the other Nefilim administrators provided other Nefilim ransomware affiliates, including co‑defendant Artem Stryzhak, who was extradited from Spain and faces charges in the Eastern District of New York, with access to the Nefilim ransomware in exchange for 20 percent of the ransom proceeds extorted from Nefilim victims.
In September 2022, as part of an international coordinated effort against LockerGoga and MegaCortex ransomware, decryption keys associated with those ransomware variants were made available to the public via the “No More Ransomware Project,” an initiative to empower ransomware victims to decrypt encrypted computers without paying a ransom. These decryption keys enabled compromised victim companies and institutions to recover data previously encrypted with LockerGoga and MegaCortex ransomware.
Tymoshchuk is charged with two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information.
The FBI is investigating this case.
Trial Attorney Brian Z. Mund of the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorneys Alexander F. Mindlin and Ellen H. Sise for the Eastern District of New York are prosecuting the case.
The Justice Department’s Office of International Affairs provided critical assistance, as did the FBI’s Legal Attachés, authorities in France, Czech Republic, Germany, Lithuania, Luxembourg, Netherlands, Norway, Switzerland, and Ukraine, and Europol and Eurojust via ICHIP The Hague.
CCIPS investigates and prosecutes cybercrime in coordination with domestic and international law enforcement agencies, often with assistance from the private sector. Since 2020, CCIPS has secured the conviction of over 180 cybercriminals, and court orders for the return of over $350 million in victim funds.
Concurrent with the unsealing of the superseding indictment, the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program is offering a rewards totaling up to $11 million for information leading to the arrest and/or conviction or location of Tymoshchuk or his conspirators.
Anyone with information on these malicious cyber actors, or associated individuals or entities, should contact the FBI via phone at +1-917-242-1407 or by email at TymoTips@fbi.gov. If you are in the United States, you can also contact your local FBI field office. If outside the United States, you can visit the nearest U.S. embassy. More information about the TOC reward offer is located on the State Department website.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source link
