Earlier today, the U.S. District Court for the Eastern District of New York unsealed a superseding indictment charging Volodymyr Viktorovich Tymoshchuk — also known as deadforz, Boba, msfv, and farnetwork — a Ukrainian national, with serving as an administrator in the LockerGoga, MegaCortex, and Nefilim ransomware schemes.
“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored. This prosecution and today’s rewards announcement reflect our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible, no matter where they are located.”
As alleged in the superseding indictment, between December 2018 and October 2021, Tymoshchuk used the LockerGoga, MegaCortex, and Nefilim ransomware variants to encrypt computer networks in countries around the world, including in the Eastern District of New York, elsewhere in the United States, France, Germany, the Netherlands, Norway, and Switzerland.
These ransomware attacks resulted in millions of dollars in losses, encompassing damage to victim computer systems, remediation costs, and ransomware payments to the perpetrators.
In these attacks, the perpetrators typically customised the ransomware executable file (the ransomware file responsible for encryption) for each ransomware victim. The customisation enabled ransomware actors to generate a decryption key that could only decrypt the network of the specific victim.
If a victim paid the ransom demand, the perpetrators would send a decryption tool, which enabled the victim to decrypt the computer files locked by the ransomware program.
Between July 2019 and June 2020, Tymoshchuk and his co‑conspirators are alleged to have compromised the networks of more than 250 victim companies in the United States and hundreds of other companies around the world with LockerGoga and MegaCortex.
However, many of these extortion attempts were unsuccessful because law enforcement often notified victims that their networks had been compromised before Tymoshchuk and his co-conspirators were able to deploy the ransomware.
Subsequently, from July 2020 through October 2021, Tymoshchuk is alleged to have been one of the administrators of the Nefilim ransomware strain.
Tymoshchuk and the other Nefilim administrators provided other Nefilim ransomware affiliates, including co‑defendant Artem Stryzhak, who was extradited from Spain and faces charges in the Eastern District of New York, with access to the Nefilim ransomware in exchange for 20 per cent of the ransom proceeds extorted from Nefilim victims.
In September 2022, as part of an international coordinated effort against LockerGoga and MegaCortex ransomware, decryption keys associated with those ransomware variants were made available to the public via the “No More Ransomware Project”, an initiative to empower ransomware victims to decrypt encrypted computers without paying a ransom.
These decryption keys enabled compromised victim companies and institutions to recover data previously encrypted with LockerGoga and MegaCortex ransomware.
Tymoshchuk is charged with two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of intentional damage to a protected computer, one count of unauthorised access to a protected computer, and one count of transmitting a threat to disclose confidential information.
