Rostislav Panev, a dual Russian and Israeli national, has been charged by U.S. authorities for his role as the developer behind the notorious LockBit ransomware-as-a-service (RaaS) operation. Arrested in Israel in August 2024, Panev is accused of playing a key role in developing the malware that facilitated some of the most damaging ransomware attacks in recent years. His involvement allegedly started with the creation of the ransomware in 2019, continuing through February 2024. According to the U.S. Department of Justice, between June 2022 and February 2024, Panev earned approximately $230,000 from the operation through cryptocurrency transfers.
LockBit ransomware became one of the most prolific cyber threats worldwide, targeting over 2,500 entities across more than 120 countries. Victims ranged from small businesses to large corporations, government agencies, healthcare facilities, and law enforcement organizations. The group’s operations reportedly generated over $500 million in illicit revenue. Authorities uncovered evidence suggesting that Panev was deeply involved in the creation of multiple versions of the ransomware and had provided guidance to affiliates on how to deploy it effectively.
Court documents show that, following his arrest, investigators discovered crucial data on Panev’s computer, including administrator credentials for a dark web repository hosting the source code for the ransomware. Additionally, his computer contained access to the LockBit control panel and a tool used by affiliates to exfiltrate sensitive data from victims before encrypting their files. Panev’s admission to Israeli authorities confirmed his extensive role in coding, maintaining, and offering technical support for the LockBit operation.
Despite significant setbacks in its operations, including the seizure of its infrastructure as part of an international law enforcement operation in February 2024, LockBit’s operators are reportedly planning a comeback. A new version of the ransomware, LockBit 4.0, is scheduled for release in February 2025. The group’s potential return, however, remains uncertain given the ongoing global crackdown on ransomware operations and the mounting legal actions against its members.
Reference:
