Full Report
The U.S. Department of Justice has charged Ukrainian national Volodymyr Viktorovich Tymoshchuk for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. [...]
Analysis Summary
# Threat Actor: Volodymyr Viktorovich Tymoshchuk (deadforz, Boba, msfv, farnetwork)
## Attribution & Identity
The subject is identified as Ukrainian national **Volodymyr Viktorovich Tymoshchuk**.
He is known online by several aliases: **deadforz**, **Boba**, **msfv**, and **farnetwork**.
He is charged by the U.S. Department of Justice for his role as an administrator for the LockerGoga, MegaCortex, and Nefilim ransomware operations. Group-IB has also linked him to the **JSWORM**, **Karma**, **Nokoyawa**, and **Nemty** ransomware gangs, where he allegedly helped with affiliate recruitment since April 2019.
## Activity Summary
Tymoshchuk has been involved in multiple major ransomware operations spanning several years:
* **LockerGoga & MegaCortex (July 2019 – June 2020):** Allegedly breached the networks of over 250 companies across the US and globally. In many cases, early law enforcement alerts prevented the final deployment of the ransomware.
* **Nefilim (July 2020 – October 2021):** Allegedly served as an administrator, providing access to affiliates (including co-defendant Artem Aleksandrovych Stryzhak, who received 20% of ransom proceeds).
* **General Activity:** Acted as a serial ransomware criminal involved in threatening to leak sensitive data if ransoms were not paid.
## Tactics, Techniques & Procedures
Specific TTPs detailed by the indictment related to operational roles:
* **Ransomware Deployment:** Involvement with LockerGoga, MegaCortex, and Nefilim families.
* **Data Exfiltration/Extortion:** Threatening to leak sensitive victim data online.
* **Affiliate Management:** Providing network access to affiliates in exchange for a percentage of the ransom proceeds (e.g., with Nefilim).
* **Recruitment:** Recruiting affiliates for various ransomware gangs on Russian-speaking hacker forums.
## Targeting
* **Sectors:** Blue-chip American companies, healthcare institutions, and large foreign industrial firms.
* **Geography:** United States and worldwide victims.
* **Victims:** Hundreds of companies across various sectors, resulting in millions of dollars in damages when successful.
## Tools & Infrastructure
* **Malware families used:** LockerGoga, MegaCortex, Nefilim. Additionally linked to JSWORM, Karma, Nokoyawa, and Nemty.
* **Infrastructure:** The article primarily focuses on the criminal's role and activities rather than specific C2 infrastructure details.
## Implications
Tymoshchuk represents a high-value, serial cybercriminal operationally significant to five separate ransomware ecosystems. His actions caused significant business disruption and financial damage. The DOJ's aggressive pursuit, including an \$11 million reward offer, signals a high priority placed on dismantling the administrative tiers of major Ransomware-as-a-Service (RaaS) operations. The release of free decryptors for LockerGoga and MegaCortex (via the No More Ransom Project) provided partial relief to past victims.
## Mitigations
* Implement robust network monitoring capable of detecting initial access and lateral movement attempts indicative of ransomware preparation.
* Ensure high-quality, segmented backups that can withstand or bypass encryption attempts.
* Maintain vigilance regarding threat reports concerning new ransomware affiliates recruited on forums.
* (For past victims): Utilize available free decryptors for LockerGoga and MegaCortex if applicable.