The U.S. Department of Justice (DoJ) has unsealed a superseding criminal complaint against Rostislav Panev, a dual Russian-Israeli national, for his alleged role as a developer within the notorious LockBit ransomware group.
Panev, 51, was arrested in Israel in August 2024, pursuant to a U.S. extradition request. The LockBit group has inflicted billions of dollars in damages worldwide, targeting over 2,500 victims in at least 120 countries.
Panev’s arrest and charging follows years of investigation into LockBit, one of the world’s most active ransomware groups since its emergence in 2019. Authorities discovered significant evidence on Panev's devices, including access credentials to LockBit’s infrastructure and source code for the ransomware and related tools. Panev admitted to Israeli authorities that he developed and maintained malware code for the group, receiving regular cryptocurrency payments for his services.
In August, law enforcement searched Panev’s residence in Israel, uncovering administrator credentials for the LockBit control panel and repositories containing source code for LockBit variants. These discoveries corroborated communications between Panev and LockBit’s primary administrator, Dmitry Yuryevich Khoroshev, alias “LockBitSupp,” who remains a fugitive.
The LockBit ransomware operation
LockBit operates under a Ransomware-as-a-Service (RaaS) model, where developers like Panev create and maintain the ransomware and infrastructure, while affiliates execute attacks. Since 2019, LockBit has extorted over $500 million in ransom payments, targeting entities ranging from small businesses to multinational corporations, hospitals, and government agencies. LockBit’s innovations include tools like “StealBit” for data exfiltration and versions of ransomware tailored to Windows, Linux, and virtualization platforms like VMware ESXi.
Evidence against Panev
The superseding criminal complaint includes detailed allegations against Panev:
- Panev reportedly developed critical features, such as malware to disable antivirus software, automated ransomware deployment, and the notorious “Print a Note” function, which spams ransom notes across network printers.
- Between June 2022 and February 2024, Panev received over $230,000 in Bitcoin from LockBit’s administrator, payments allegedly laundered through cryptocurrency mixers.
- Panev's devices contained evidence of communication with LockBit’s leadership and access to repositories containing LockBit’s source code and decryption tools.
The LockBit crackdown
Panev’s arrest is part of a broader international effort to dismantle LockBit. Earlier this year, authorities in the U.S., U.K., and Europe disrupted LockBit’s infrastructure, seizing servers and public-facing websites. This operation significantly weakened the group's operational capabilities, though attacks have resumed on a smaller scale.
To date, seven key members of LockBit, including affiliates and developers, have been charged by the District of New Jersey. In addition to Panev, prominent figures include Mikhail Vasiliev and Ruslan Astamirov, affiliates who have pleaded guilty, and the leader, Khoroshev, who remains on the FBI’s most-wanted list.
Play Ransomware Claims Responsibility for Attack on Krispy Kreme
Leave a Reply