Wednesday, September 10, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Uncle Sam indicts alleged ransomware kingpin tied to $18B in damages

TH Author

A Ukrainian national faces serious federal charges and an $11 million bounty after allegedly orchestrating ransomware operations that caused an estimated $18 billion in damages across hundreds of organizations worldwide.

Authorities have accused Volodymyr Tymoshchuk, 28, of masterminding three major ransomware operations — LockerGoga, MegaCortex, and Nefilim —that terrorized corporations between December 2018 and October 2021.

Prosecutors said Tymoshchuk was responsible for attacks on more than 250 companies in the US alone, in addition to hundreds more globally.

Among these was the infamous attack on Norsk Hydro in 2019, which garnered international attention for its impact, and the company’s transparent response.

Tens of thousands of PCs were locked down at its 170 sites, located across 40 countries, causing a reported $81 million worth of damage in downtime and cleanup costs. The majority of its 35,000 staff were affected, and all of its business operations were disrupted.

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, healthcare institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” stated Joseph Nocella Jr, US attorney for the Eastern District of New York.

“In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored,” added Matthew R Galeotti, acting assistant attorney general at the Justice Department’s Criminal Division.

“This prosecution and today’s rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible, no matter where they are located.”

Unlike many of his suspected accomplices, Tymoshchuk has not yet been arrested or extradited, but the US is offering rewards of up to $11 million for information that could lead to either end.

Tymoshchuk was also placed on Europe’s Most Wanted Fugitives list by France, which alleged that his group’s activities led to $18 billion worth of damages, branding him “dangerous.”

Charges

Per a superseding indictment [PDF] unsealed on September 9, Tymoshchuk faces seven counts related to computer intrusion offences.

The document highlights various attacks that the Feds claim were orchestrated by the Kyiv-based man. The extortion routinely involved organizations paying ransom sums north of $1 million.

The identities of the victim companies were largely kept under wraps, other than the date of the attack and the general locations of their headquarters.

Charges against Tymoshchuk include counts related to intentional damage to protected computers, unauthorized access to protected computers, computer fraud, and threatening to disclose confidential information.

If he is found guilty, accounting for the hundreds of attacks he allegedly oversaw, this could lead to a maximum sentence of life imprisonment – if he actually ended up in US custody.

Three operations and their tradecraft

During the LockerGoga and MegaCortex years, Tymoshchuk and co would allegedly gain access using various means, often remaining undetected on victim networks for months before deploying the ransomware payload.

Group members routinely abused the Cobalt Strike and Metasploit pentesting tools, as well as leaning on initial access brokers for stolen credentials when they couldn’t brute-force them themselves.

According to the Justice Department, many of the criminals’ extortion attempts failed because US authorities notified would-be victims of suspicious network activity before ransomware could be deployed.

The indictment states that the Nefilim operation began in July 2020, a month after Tymoshchuk ceased working on LockerGoga and MegaCortex, and continued until October 2021.

Nefilim operated an affiliate model, with its attackers mainly targeting organizations with annual revenues exceeding $100 million, according to the indictment.

Researchers at Trend Micro, however, noted that the group’s selection pool was much smaller, targeting organizations with annual revenues of at least $1 billion.

They said that while Nefilim was not posting the same numbers as then-rivals Darkside, REvil, and Cl0p, its strategy was paying off – literally – topping the charts for ransomware payments by February 2021.

While the US has yet to secure the extradition of Tymoshchuk, one of Nefilim’s affiliates, Ukrainian national Artem Stryzhak, was arrested in Barcelona in June 2024 and extradited to the US in April to face one charge related to ransomware. ®

READ MORE HERE