US charges Russian-Israeli as suspected LockBit ransomware coder
The US Department of Justice has charged a Russian-Israeli dual-national for his suspected role in developing malware and managing the infrastructure for the notorious LockBit ransomware group.
According to a criminal complaint unsealed today in the District of New Jersey, Rostislav Panev, 51, a dual Russian and Israeli national, allegedly helped develop LockBit ransomware encryptors and a custom “StealBit” data-theft tool commonly used in attacks.
Panev was arrested in Israel in August, where he awaits a pending extradition request by the United States. Israeli news site Ynet first reported about the arrest.
The criminal complaint alleges that Israeli law enforcement found credentials on his computer to an online repository containing the source code for the LockBit encryptors and the StealBit tool.
“As alleged in the superseding complaint, at the time of Panev’s arrest in Israel in August, law enforcement discovered on Panev’s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for particular victims,” reads the complaint.
“On that repository, law enforcement also discovered source code for LockBit’s StealBit tool, which helped LockBit affiliates exfiltrate data stolen through LockBit attacks. Law enforcement also discovered access credentials for the LockBit control panel, an online dashboard maintained by LockBit developers for LockBit’s affiliates and hosted by those developers on the dark web.”
The repositories also contained the source code for the Conti ransomware encryptors, which was leaked by a Ukranian researcher after Conti sided with Russia over the invasion of Ukraine.
This source code is believed to have been used to help create the “LockBit Green” encryptor, which was based off of Conti’s encryptor.
The complaint also says that Panev used a hacking forum’s private message feature to communicate with LockBit’s primary operator, LockBitSupp, now identified as Dmitry Yuryevich Khoroshev. These messages were to discuss work that needed to be coded on the LockBit builder and the operation’s control panel.
For his work with the LockBit ransomware gang, Panev allegedly earned approximately $230,000 over 18 months.
“Court documents further indicate that, between June 2022 and February 2024, the primary LockBit administrator made a series of transfers of cryptocurrency, laundered through one or more illicit cryptocurrency mixing services, of approximately $10,000 per month to a cryptocurrency wallet owned by Panev,” alleged the DOJ announcement.
“Those transfers amounted to over $230,000 during that period.”
In interviews with Israeli police following his arrest, Panev allegedly admitted to doing programming work for the LockBit ransomware and receiving compensation for his time.
If Panev is extradited to the US, he will be tried in the District of New Jersey.
Disrupting LockBit
Panev is the seventh LockBit ransomware gang member charged since 2023, with international law enforcement focusing heavily on disrupting the operation.
In 2023, the U.S. Justice Department charged a Russian citizen named Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for his involvement in the Hive, LockBit, and Babuk ransomware operations.
In February 2024, law enforcement agencies from 10 countries disrupted the LockBit ransomware operation in a joint operation called “Operation Cronos.” During this operation, law enforcement hacked LockBit’s infrastructure to steal data, lists of affiliates, and over 7,000 decryption keys.
These decryption keys allowed companies worldwide to recover their data for free without paying a ransom.
That same month, the US charged two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord), for their involvement in LockBit attacks.
In May 2024, the US charged, sanctioned, and revealed that the operator of the LockBit ransomware was allegedly a Russian national named Dmitry Yuryevich Khoroshev, aka ‘LockBitSupp’ and ‘putinkrab’.
In July, Russian national Ruslan Magomedovich Astamirov and Canadian/Russian national Mikhail Vasiliev pleaded guilty to being affiliates for the LockBit ransomware operation and conducting numerous attacks.
The US Department of State’s Rewards for Justice program is currently offering a $10 million reward for information leading to Khoroshev’s arrest, as well as up to $10 million for the arrest of other members of the LockBit ransomware gang.