Full Report
Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said.
Analysis Summary
# Threat Actor: Rostislav Panev (LockBit Developer)
## Attribution & Identity
* **Individual Identified:** Rostislav Panev, a 51-year-old dual Russian-Israeli national.
* **Role:** Alleged developer for the LockBit ransomware conspiracy from 2019 to at least February 2024.
* **Associated Groups:** LockBit ransomware operation.
* **Known Associates:** Suspected communication (direct messages) with LockBit’s primary administrator, Dimitry Yuryevich Khoroshev (@LockBitSupp).
## Activity Summary
Rostislav Panev was arrested in Israel in August 2024 and extradited to the U.S. to face 40 charges related to computer damage and extortion stemming from the LockBit ransomware activity. He is accused of designing the malware code and maintaining the operation's infrastructure. The LockBit group, according to prosecutors, became one of the most active and destructive ransomware groups globally, executing attacks against over 2,500 victims in 120 countries, earning at least $500 million in ransoms until its disruption in February 2024.
## Tactics, Techniques & Procedures
* **Malware Development:** Designed the source code for multiple versions of the LockBit builder, allowing affiliates to generate custom ransomware builds.
* **Infrastructure Management:** Maintained the infrastructure supporting the LockBit operation.
* **Data Exfiltration:** Allegedly possessed tools enabling affiliates to siphon data from victim systems.
* **Operational Control:** Possessed operational control panels for the ransomware service.
* **Financials:** Received regular payments (approximately $10,000 per month between June 2022 and February 2024) from the primary LockBit administrator, sent via cryptocurrency wallets laundered through illicit mixing services (totaling over $230,000).
* **TTP Mapping:** The broader LockBit operation aligns with Ransomware (T1486), but Panev’s specific role relates to Development and Maintenance.
## Targeting
* **Sectors:** Schools, hospitals, local governments, businesses, and multinational corporations.
* **Geography:** Global reach, attacking victims in 120 countries, including approximately 1,800 U.S.-based organizations.
* **Victims:** Specific examples mentioned include unnamed schools, hospitals, local governments, pharmaceutical developers, and banks (Evolve Bank data breach mentioned in context of LockBit activity).
## Tools & Infrastructure
* **Malware Families Used:** LockBit ransomware (developers created the LockBit builder).
* **Infrastructure:**
* Credentials for an online repository hosted on the dark web, storing LockBit source code.
* Tools for data siphoning and operational control panels.
## Implications
The successful extradition and charging of a key LockBit developer illustrate the success of international law enforcement efforts (led by the U.K. NCA) in dismantling the ransomware ecosystem. This disruption severely impacted LockBit’s operations, leading to the seizure of their sites and the development of a decryptor for victims. The ongoing pursuit of figures like Khoroshev shows continued commitment to holding high-level operators accountable.
## Mitigations
* **Contact Authorities:** Past victims of LockBit are urged to contact law enforcement as a decryptor is now available due to the successful 2024 operation.
* **Proactive Defense:** Maintain robust security architectures to prevent initial compromise and data exfiltration, as demonstrated by the tools found in Panev's possession.