Top LockBit developer arrested, awaiting extradition to US


The notorious LockBit ransomware gang continues to crumble. The US has charged Rostislav Panev, 51, for acting as a developer of LockBit since its inception around 2019.

Panev, a dual Russian and Israeli national, was arrested in Israel in August 2024 and is currently in custody pending extradition to the US, the Department of Justice (DOJ) announced. The criminal complaint alleges that Rostislav Panev developed malware and maintained the infrastructure for LockBit.

Correspondence with an alleged leader of LockBit, Dmitry Yuryevich Khoroshev, who was exposed by the FBI in May 2024, helped to reveal the criminal.

ADVERTISEMENT

According to the DOJ, Panev exchanged direct messages through a cybercriminal forum with LockBit’s primary administrator, who is also known as LockBitSupp, LockBit, and putinkrab. The two conspirators discussed work that needed to be done on the LockBit builder and control panel.

LockBitSup wanted

Panev also received a series of cryptocurrency payments from the LockBit administrator, amounting to over $230,000 between June 2022 and February 2024, or $10,000 per month. The gang laundered money through illicit cryptocurrency-mixing services.

Developers like Panev, who were members of LockBit, designed the malware code and maintained the infrastructure on which LockBit operated. LockBit also had affiliates that carried out attacks and extorted ransom payments from LockBit victims. LockBit’s developers and affiliates would then split the ransom payments extorted from victims.

“The arrest of alleged developer Rostislav Panev is part of the FBI’s ongoing efforts to disrupt and dismantle the LockBit ransomware group, one of the most prolific ransomware variants across the globe,” said FBI Director Christopher Wray.

Panev’s computer may lead to other breakthroughs as it contained administrator credentials for an online repository hosted on the dark web.

It stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for particular victims. It also contained the source code for LockBit’s StealBit tool, which helped affiliates to exfiltrate data stolen through LockBit attacks.

Law enforcement also obtained access credentials for the LockBit control panel, an online dashboard maintained by the gang’s developers for its affiliates.

ADVERTISEMENT

In interviews with Israeli authorities, Panev already admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments. Panev’s code helped disable antivirus software, deploy malware to computers on a network, and print ransom notes on all printers. Panev admitted to writing and maintaining LockBit’s malware code, as well as providing tech assistance to the group.

Attorney General Merrick B. Garland called LockBit one of “the world’s most dangerous ransomware schemes.”

“Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks,” Garland said.

In February 2024, a coordinated law enforcement operation disrupted the LockBit cartel “at every level.” The primary platform, critical infrastructure, and 34 servers were taken down in many countries, including the gang’s leak site, which was resurrected by police to mock criminals.

Further investigations led to the arrests of gang members. Seven of LockBit’s key members have been charged. Meanwhile, the world’s formerly most destructive ransomware group, responsible for thousands of victims and billions of dollars in damages, attempted to appear active. However, in recent months, it has been dethroned by other gangs.

vilius Konstancija Gasaityte profile Paulius Grinkevicius Ernestas Naprys
Don’t miss our latest stories on Google News

The DOJ assesses that the LockBit ransomware group attacked more than 2,500 victims in at least 120 countries around the world, including 1,800 in the United States. The cartel targeted both public and private sector victims, ranging from individuals and small businesses to multinational corporations, including hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.

LockBit’s members extracted at least $500 million in ransom payments from their victims, while also causing billions of dollars in damages.

The gang’s leader, Koroshev, and ‘any individuals who hold a key leadership position in LockBit”, are currently the subjects of a reward of up to $10 million.

“For three years, Lockbit reigned as the undisputed and most prolific ransomware family used by cybercriminals. Throughout this time the service operators and developers supporting Lockbit continually released new tools and capabilities enabling their affiliates to disrupt countless international businesses and extract enormous ransom payments,” said Jeremy Kennelly, Mandiant Senior Principal Analyst, Financial Crime Analysis at Google Cloud.

ADVERTISEMENT

“These international law enforcement efforts to disrupt Lockbit have proven incredibly effective at dismantling and discrediting the brand; the volume of ransomware intrusions associated to the service has dropped precipitously since the summer of 2024.”

Although the affiliates, in many cases, likely shifted to work with other services, Kennelly believes that these continued efforts are critical to ensuring that ransomware and extortion are seen as crimes for which there are consequences.