The U.S. government has charged Rostislav Panev, a dual Russian and Israeli citizen, with developing and maintaining the malicious software code for the LockBit ransomware group. Panev, 51, allegedly earned more than $230,000 in cryptocurrency for his contributions. He was arrested in Israel and is awaiting extradition to the United States. His arrest marks the third apprehension of an individual connected to LockBit, a notorious ransomware group.
Previously, authorities detained Mikhail Vasiliev and Ruslan Magomedovich Astamirov, two other alleged members of the LockBit organization. Both have pleaded guilty to multiple charges, including conspiracy to commit computer fraud. Despite these arrests, law enforcement is still pursuing the group’s alleged leader, Dmitry Khoroshev. The U.S. Department of Justice (DOJ) has offered a reward of up to $10 million for information leading to his capture. The DOJ alleges that Khoroshev has personally received at least $100 million in digital currency, representing his developer share—20%—of the ransom payments collected by LockBit affiliates who employed the group’s ransomware software.
Panev is accused of being part of the LockBit group since its inception in 2019. According to the complaint, he played a significant role in enabling ransomware attacks on hundreds of targets worldwide, including hospitals, businesses, and government agencies. His contributions allegedly helped facilitate a wide range of operations that caused substantial harm to victims across various sectors.
Investigators linked Panev to LockBit by uncovering login credentials on his computer. These credentials provided access to a dark web repository containing multiple versions of the LockBit ransomware builder. This tool allowed group members to create customized versions of the ransomware tailored to specific victims. Panev reportedly admitted during interviews with Israeli police that he had been involved in writing and maintaining the malware code for LockBit.
Some of the malicious code Panev is accused of creating was designed to disable Windows Defender antivirus software, execute malware across multiple computers in a network, and broadcast ransom notes via network printers. While Panev initially claimed he was unaware that his work was part of illegal activities, the DOJ’s complaint emphasizes his central role in maintaining and advancing LockBit’s operations.
LockBit is one of the most active ransomware groups globally, known for targeting critical infrastructure and extracting significant ransoms. The group operates using a “ransomware-as-a-service” model, where developers provide the malicious software to affiliates who carry out attacks. This structure enables widespread deployment of the ransomware, amplifying its impact.
Panev’s arrest and the ongoing search for Khoroshev underscore the U.S. government’s commitment to dismantling cybercriminal organizations and holding their members accountable. The case also highlights the growing collaboration between international law enforcement agencies to combat cybercrime. Panev’s extradition to the U.S. will likely lead to further legal proceedings and could provide additional insights into LockBit’s operations.
With the arrests of Panev, Vasiliev, and Astamirov, authorities have begun to disrupt the group’s activities. However, the continued evasion of Khoroshev and other potential key members indicates that the fight against LockBit and similar ransomware groups is far from over. The substantial financial gains of individuals like Khoroshev demonstrate the lucrative nature of these operations, which further complicates efforts to eradicate ransomware networks entirely.
This case serves as a reminder of the pervasive threat posed by ransomware groups and the importance of coordinated efforts to counteract their activities. By targeting both developers and affiliates, law enforcement aims to weaken the infrastructure supporting ransomware-as-a-service models, thereby reducing their reach and impact.