Office of Public Affairs LockerGoga MegaCortex and Nefilim Ransomware Administrator Charged with Ransomware Attacks United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppEarlier today the US District Court for the Eastern District of New York unsealed a superseding indictment charging Volodymyr Viktorovich Tymoshchuk also known as deadforz Boba msfv and farnetwork a Ukrainian national with serving as an administrator in the LockerGoga MegaCortex and Nefilim ransomware schemesppVolodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world said Acting Assistant Attorney General Matthew R Galeotti of the Justice Departments Criminal Division In some instances these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored This prosecution and todays rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible no matter where they are locatedppTymoshchuk is a serial ransomware criminal who targeted bluechip American companies health care institutions and large foreign industrial firms and threatened to leak their sensitive data online if they refused to pay said US Attorney Joseph Nocella Jr for the Eastern District of New York For a time the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted Todays charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymousppVolodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims said Assistant Director in Charge Christopher G Raia of the FBI New York Field Office Todays announcement should serve as warning cyber criminals may believe they act with impunity while conducting harmful cyber intrusions but law enforcement is onto you and will hold you accountable The FBI along with our law enforcement partners will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crimeppThe criminals behind Nefilim ransomware may believe they can profit from extortion and data leaks but they are wrong said Special Agent in Charge Christopher J S Johnson of the FBIs Springfield Field Office The FBI is actively pursuing them to disrupt their operations and bring them to justice We urge all organizations to report these attacks immediately because every report helps us dismantle these networks and ensure cybercriminals are held accountableppAs alleged in the superseding indictment between December 2018 and October 2021 Tymoshchuk used the LockerGoga MegaCortex and Nefilim ransomware variants to encrypt computer networks in countries around the world including in the Eastern District of New York elsewhere in the United States France Germany the Netherlands Norway and Switzerland These ransomware attacks caused millions of dollars of losses including damage to victim computer systems remediation costs and ransomware payments to the perpetrators In these attacks the perpetrators typically customized the ransomware executable file the ransomware file responsible for encryption for each ransomware victim The customization allowed the ransomware actors to create a decryption key that could only decrypt the network of the specific victim If a victim paid the ransom demand the perpetrators would send a decryption tool which enabled the victim to decrypt the computer files locked by the ransomware programppBetween July 2019 and June 2020 Tymoshchuk and his coconspirators are alleged to have compromised the networks of more than 250 victim companies in the United States and hundreds of other companies around the world with LockerGoga and MegaCortex However many of these extortion attempts were unsuccessful because law enforcement often notified victims that their networks had been compromised before Tymoshchuk and his coconspirators were able to deploy the ransomware Subsequently from July 2020 through October 2021 Tymoshchuk is alleged to have been one of the administrators of the Nefilim ransomware strain Tymoshchuk and the other Nefilim administrators provided other Nefilim ransomware affiliates including codefendant Artem Stryzhak who was extradited from Spain and faces charges in the Eastern District of New York with access to the Nefilim ransomware in exchange for 20 percent of the ransom proceeds extorted from Nefilim victimsppIn September 2022 as part of an international coordinated effort against LockerGoga and MegaCortex ransomware decryption keys associated with those ransomware variants were made available to the public via the No More Ransomware Project an initiative to empower ransomware victims to decrypt encrypted computers without paying a ransom These decryption keys enabled compromised victim companies and institutions to recover data previously encrypted with LockerGoga and MegaCortex ransomwareppTymoshchuk is charged with two counts of conspiracy to commit fraud and related activity in connection with computers three counts of intentional damage to a protected computer one count of unauthorized access to a protected computer and one count of transmitting a threat to disclose confidential informationppThe FBI is investigating this caseppTrial Attorney Brian Z Mund of the Justice Departments Computer Crime and Intellectual Property Section CCIPS and Assistant US Attorneys Alexander F Mindlin and Ellen H Sise for the Eastern District of New York are prosecuting the caseppThe Justice Departments Office of International Affairs provided critical assistance as did the FBIs Legal Attachés authorities in France Czech Republic Germany Lithuania Luxembourg Netherlands Norway Switzerland and Ukraine and Europol and Eurojust via ICHIP The HagueppCCIPS investigates and prosecutes cybercrime in coordination with domestic and international law enforcement agencies often with assistance from the private sector Since 2020 CCIPS has secured the conviction of over 180 cybercriminals and court orders for the return of over 350 million in victim fundsppConcurrent with the unsealing of the superseding indictment the US Department of States Transnational Organized Crime TOC Rewards Program is offering a rewards totaling up to 11 million for information leading to the arrest andor conviction or location of Tymoshchuk or his conspiratorsppAnyone with information on these malicious cyber actors or associated individuals or entities should contact the FBI via phone at 19172421407 or by email at TymoTipsfbigov If you are in the United States you can also contact your local FBI field office If outside the United States you can visit the nearest US embassy More information about the TOC reward offer is located on the State Department websiteppAn indictment is merely an allegation All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of lawppA complaint filed in the District of New Jersey was unsealed today charging Thalha Jubair a United Kingdom national with conspiracies to commit computer fraud wire fraud and money launderingppEarlier today a New York man was resentenced to three years in prison for his creation and operation of BreachForums a marketplace for cybercriminals to buy sell and trade hacked orppThank you Amanda for that introduction and thank you to the American Innovation Project for hosting this conferenceppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppEarlier today the US District Court for the Eastern District of New York unsealed a superseding indictment charging Volodymyr Viktorovich Tymoshchuk also known as deadforz Boba msfv and farnetwork a Ukrainian national with serving as an administrator in the LockerGoga MegaCortex and Nefilim ransomware schemesppVolodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world said Acting Assistant Attorney General Matthew R Galeotti of the Justice Departments Criminal Division In some instances these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored This prosecution and todays rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible no matter where they are locatedppTymoshchuk is a serial ransomware criminal who targeted bluechip American companies health care institutions and large foreign industrial firms and threatened to leak their sensitive data online if they refused to pay said US Attorney Joseph Nocella Jr for the Eastern District of New York For a time the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted Todays charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymousppVolodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims said Assistant Director in Charge Christopher G Raia of the FBI New York Field Office Todays announcement should serve as warning cyber criminals may believe they act with impunity while conducting harmful cyber intrusions but law enforcement is onto you and will hold you accountable The FBI along with our law enforcement partners will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crimeppThe criminals behind Nefilim ransomware may believe they can profit from extortion and data leaks but they are wrong said Special Agent in Charge Christopher J S Johnson of the FBIs Springfield Field Office The FBI is actively pursuing them to disrupt their operations and bring them to justice We urge all organizations to report these attacks immediately because every report helps us dismantle these networks and ensure cybercriminals are held accountableppAs alleged in the superseding indictment between December 2018 and October 2021 Tymoshchuk used the LockerGoga MegaCortex and Nefilim ransomware variants to encrypt computer networks in countries around the world including in the Eastern District of New York elsewhere in the United States France Germany the Netherlands Norway and Switzerland These ransomware attacks caused millions of dollars of losses including damage to victim computer systems remediation costs and ransomware payments to the perpetrators In these attacks the perpetrators typically customized the ransomware executable file the ransomware file responsible for encryption for each ransomware victim The customization allowed the ransomware actors to create a decryption key that could only decrypt the network of the specific victim If a victim paid the ransom demand the perpetrators would send a decryption tool which enabled the victim to decrypt the computer files locked by the ransomware programppBetween July 2019 and June 2020 Tymoshchuk and his coconspirators are alleged to have compromised the networks of more than 250 victim companies in the United States and hundreds of other companies around the world with LockerGoga and MegaCortex However many of these extortion attempts were unsuccessful because law enforcement often notified victims that their networks had been compromised before Tymoshchuk and his coconspirators were able to deploy the ransomware Subsequently from July 2020 through October 2021 Tymoshchuk is alleged to have been one of the administrators of the Nefilim ransomware strain Tymoshchuk and the other Nefilim administrators provided other Nefilim ransomware affiliates including codefendant Artem Stryzhak who was extradited from Spain and faces charges in the Eastern District of New York with access to the Nefilim ransomware in exchange for 20 percent of the ransom proceeds extorted from Nefilim victimsppIn September 2022 as part of an international coordinated effort against LockerGoga and MegaCortex ransomware decryption keys associated with those ransomware variants were made available to the public via the No More Ransomware Project an initiative to empower ransomware victims to decrypt encrypted computers without paying a ransom These decryption keys enabled compromised victim companies and institutions to recover data previously encrypted with LockerGoga and MegaCortex ransomwareppTymoshchuk is charged with two counts of conspiracy to commit fraud and related activity in connection with computers three counts of intentional damage to a protected computer one count of unauthorized access to a protected computer and one count of transmitting a threat to disclose confidential informationppThe FBI is investigating this caseppTrial Attorney Brian Z Mund of the Justice Departments Computer Crime and Intellectual Property Section CCIPS and Assistant US Attorneys Alexander F Mindlin and Ellen H Sise for the Eastern District of New York are prosecuting the caseppThe Justice Departments Office of International Affairs provided critical assistance as did the FBIs Legal Attachés authorities in France Czech Republic Germany Lithuania Luxembourg Netherlands Norway Switzerland and Ukraine and Europol and Eurojust via ICHIP The HagueppCCIPS investigates and prosecutes cybercrime in coordination with domestic and international law enforcement agencies often with assistance from the private sector Since 2020 CCIPS has secured the conviction of over 180 cybercriminals and court orders for the return of over 350 million in victim fundsppConcurrent with the unsealing of the superseding indictment the US Department of States Transnational Organized Crime TOC Rewards Program is offering a rewards totaling up to 11 million for information leading to the arrest andor conviction or location of Tymoshchuk or his conspiratorsppAnyone with information on these malicious cyber actors or associated individuals or entities should contact the FBI via phone at 19172421407 or by email at TymoTipsfbigov If you are in the United States you can also contact your local FBI field office If outside the United States you can visit the nearest US embassy More information about the TOC reward offer is located on the State Department websiteppAn indictment is merely an allegation All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of lawppA complaint filed in the District of New Jersey was unsealed today charging Thalha Jubair a United Kingdom national with conspiracies to commit computer fraud wire fraud and money launderingppEarlier today a New York man was resentenced to three years in prison for his creation and operation of BreachForums a marketplace for cybercriminals to buy sell and trade hacked orppThank you Amanda for that introduction and thank you to the American Innovation Project for hosting this conferenceppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
