LockBit | Breaking Cybersecurity News | The Hacker News

A 51-year-old dual Russian and Israeli national who is alleged to be a developer of the LockBit ransomware group has been extradited to the United States, nearly three months after he was formally charged in connection with the e-crime scheme. Rostislav Panev  was previously arrested in Israel in August 2024. He is said to have been working as a developer for the ransomware gang from 2019 to February 2024, when the operation's online infrastructure was seized in a law enforcement exercise. "Rostislav Panev's extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice," said United States Attorney John Giordano. LockBit grew to become one of the most prolific ransomware groups, attacking more than 2,500 entities in at least 120 countries around the world. Nearly 1,800 of those were located in the United States. Victims consisted of individuals and ...

A dual Russian and Israeli national has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation since its inception in or around 2019 through at least February 2024. Rostislav Panev , 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a statement. Based on fund transfers to a cryptocurrency wallet owned by Panev, he allegedly earned approximately $230,000 between June 2022 and February 2024. "Rostislav Panev for years built and maintained the digital weapons that enabled his LockBit co-conspirators to wreak havoc and cause billions of dollars in damage around the world," U.S. Attorney Philip R. Sellinger said . LockBit, which was one of the most prolific ransomware groups, had its infrastructure seized in February 2024 as part of an international law enforcement operation called Cronos. It gained notoriety for tar...

A Russian cybercriminal wanted in the U.S. in connection with LockBit and Hive ransomware operations has been arrested by law enforcement authorities in the country. According to a news report from Russian media outlet RIA Novosti, Mikhail Pavlovich Matveev has been accused of developing a malicious program designed to encrypt files and seek ransom in return for a decryption key. "At present, the investigator has collected sufficient evidence, the criminal case with the indictment signed by the prosecutor has been sent to the Central District Court of the city of Kaliningrad for consideration on the merits," the Russian Ministry of Internal Affairs said in a statement. Matveev has been charged under Part 1 of Article 273 of the Criminal Code of the Russian Federation, which relates to the creation, use, and distribution of computer programs that can cause "destruction, blocking, modification or copying of computer information." He was previously charged and ...

Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus. "Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia said in a report shared with The Hacker News. "Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware." Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an "aggressive ransomware group" that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare. Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish s...

A new wave of international law enforcement actions has led to four arrests and the takedown of nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation, marking the latest salvo against what was once a prolific financially motivated group. This includes the arrest of a suspected LockBit developer in France while on holiday outside of Russia, two individuals in the U.K. who allegedly supported an affiliate, and an administrator of a bulletproof hosting service in Spain used by the ransomware group, Europol said in a statement. In conjunction, authorities outed a Russian national named Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester, and Kotosel) as one of the high-ranking members of the Evil Corp cybercrime group, while simultaneously painting him as a LockBit affiliate. Sanctions have also been announced against seven individuals and two entities linked to the e-crime gang. "The United States, in close coordination with our allies and part...

Two Russian nationals have pleaded guilty in a U.S. court for their participation as affiliates in the LockBit ransomware scheme and helping facilitate ransomware attacks across the world. The defendants include Ruslan Magomedovich Astamirov, 21, of Chechen Republic, and Mikhail Vasiliev, 34, a dual Canadian and Russian national of Bradford, Ontario. Astamirov was arrested in Arizona by U.S. law enforcement agencies in May 2023. Vasiliev, who is already wanted for similar charges in Canada, was sentenced to nearly four years in jail. He was subsequently extradited to the U.S. last month. The development comes more than two months after the U.K. National Crime Agency (NCA) unmasked a 31-year-old Russian national named Dmitry Yuryevich Khoroshev as the administrator and developer of the LockBit ransomware operation. LockBit, which is estimated to have attacked over 2,500 entities since its appearance towards the end of 2019, raking in at least approximately $500 million in ranso...

The U.S. Federal Bureau of Investigation (FBI) has disclosed that it's in possession of more than 7,000 decryption keys associated with the LockBit ransomware operation to help victims get their data back at no cost. "We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov," FBI Cyber Division Assistant Director Bryan Vorndran said in a keynote address at the 2024 Boston Conference on Cyber Security (BCCS). LockBit, which was once a prolific ransomware gang, has been linked to over 2,400 attacks globally, with no less than 1,800 impacting entities in the U.S. Earlier this February, an international law enforcement operation dubbed Cronos led by the U.K. National Crime Agency (NCA) dismantled its online infrastructure. Last month, a 31-year-old Russian national named Dmitry Yuryevich Khoroshev was outed by authorities as the group's administrator and developer, a ...

The U.K. National Crime Agency (NCA) has unmasked the administrator and developer of the LockBit ransomware operation, revealing it to be a 31-year-old Russian national named  Dmitry Yuryevich Khoroshev . In addition, Khoroshev has been sanctioned  by the U.K. Foreign, Commonwealth and Development Office (FCD), the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), and the Australian Department of Foreign Affairs. Europol, in a  press statement , said authorities are in possession of over 2,500 decryption keys and are continuing to contact LockBit victims to offer support. Khoroshev, who went by the monikers LockBitSupp and putinkrab, has also become the subject of asset freezes and travel bans, with the U.S. Department of State offering a reward of up to $10 million for information leading to his arrest and/or conviction. Previously, the agency had  announced  reward offers of up to $15 milli...

Threat actors behind the Akira ransomware group have extorted approximately $42 million in illicit proceeds after breaching the networks of more than 250 victims as of January 1, 2024. "Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S., along with Europol's European Cybercrime Centre (EC3),  said  in a joint alert. "In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines." The double-extortion group has been observed using a C++ variant of the locker in the early stages, before shifting to a Rust-based code as of August 2023. It's worth noting that the e-crime actor is  completely different  from the Akira ransomware family that was active in 2017. Initial access to target networks is facili...

The  ransomware industry surged in 2023  as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 5,070.  But 2024 is starting off showing a very different picture.  While the numbers skyrocketed in Q4 2023 with 1309 cases, in Q1 2024, the ransomware industry was down to 1,048 cases. This is a 22% decrease in ransomware attacks compared to Q4 2023. Figure 1: Victims per quarter There could be several reasons for this significant drop.  Reason 1: The Law Enforcement Intervention Firstly, law enforcement has upped the ante in 2024 with actions against both LockBit and ALPHV. The LockBit Arrests In February, an international operation named "Operation Cronos" culminated in the arrest of at least three associates of the infamous LockBit ransomware syndicate in Poland and Ukraine.  Law enforcement from multiple countries collaborated to take down LockBit's infrastructure. This included seizing their dark web domains and gaining ac...

An updated version of an information-stealing malware called Rhadamanthys is being used in phishing campaigns targeting the oil and gas sector. "The phishing emails use a unique vehicle incident lure and, in later stages of the infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a significant fine for the incident," Cofense researcher Dylan Duncan  said . The email message comes with a malicious link that leverages an open redirect flaw to take the recipients to a link hosting a supposed PDF document, but, in reality, is an image that, upon clicking, downloads a ZIP archive with the stealer payload. Written in C++,  Rhadamanthys  is designed to establish connections with a command-and-control (C2) server in order to harvest sensitive data from the compromised hosts. "This campaign appeared within days of the law enforcement takedown of the LockBit ransomware group," Duncan said. "While this could be a coincidence, Trend Micr...

German authorities have announced the takedown of an illicit underground marketplace called  Nemesis Market  that peddled narcotics, stolen data, and various cybercrime services. The Federal Criminal Police Office (aka Bundeskriminalamt or BKA) said it seized the digital infrastructure associated with the darknet service located in Germany and Lithuania and confiscated €94,000 ($102,107) in cryptocurrency assets. The operation, conducted in collaboration with law enforcement agencies from Germany, Lithuania, and the U.S., took place on March 20, 2024, following an extensive investigation that commenced in October 2022. Founded in 2021, Nemesis Market is estimated to have had more than 150,000 user accounts and 1,100 seller accounts from all over the world prior to its shutdown. Almost 20$ of the seller accounts were from Germany. "The range of goods available on the marketplace included narcotics, fraudulently obtained data and goods, as well as a selection of cybercrime ...

Multiple threat actors are exploiting the recently disclosed security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT. The attacks entail the exploitation of  CVE-2024-27198  (CVSS score: 9.8) that enables an adversary to bypass authentication measures and gain administrative control over affected servers. "The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs)," Trend Micro  said  in a new report. "Ransomware can then be installed as a final payload to encrypt files and demand ransom payments from victims." Following public disclosure of the flaw earlier this month, it has been weaponized by threat actors associated with  BianLian  and  Jasmin ransomware  families, as well...