U.S. indicts Ukrainian national for hundreds of ransomware attacks using multiple variants
The Department of Justice unsealed an indictment against a Ukrainian national alleged to be central to a ransomware campaign affecting hundreds of companies worldwide.
Volodymyr Viktorovych Tymoshchuk, known online as “deadforz,” “Boba,” “msfv,” and “farnetwork,” is accused of developing and deploying ransomware variants Nefilim, LockerGoga, and MegaCortex, all of which have been used in attacks on prominent organizations in the United States, Europe, and elsewhere since at least 2018.
According to the indictment, filed in the Eastern District of New York, Tymoshchuk and his alleged co-conspirators are believed to have extorted more than 250 companies across the U.S. and hundreds more globally, generating tens of millions of dollars in damages. Victims suffered not just the loss of data and disabling of business operations, but high mitigation and recovery costs.
Among the targets were blue-chip corporations, health care institutions, and major industrial firms. Prosecutors detailed how the group tailored attacks to entities with annual revenues exceeding $100 million, sometimes specifically seeking out companies in the U.S., Canada, or Australia.
Additionally, the State Department announced rewards totaling up to $10 million for information leading to the arrest or conviction of Tymoshchuk, with a separate reward of up to $1 million for information on other key leaders of the groups deploying the ransomware variants.
“Volodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims. Today’s announcement should serve as warning, cyber criminals may believe they act with impunity while conducting harmful cyber intrusions, but law enforcement is onto you and will hold you accountable,” said Christopher Raia, FBI assistant director in charge. “The FBI along with our law enforcement partners will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crime.”
Authorities say the Nefilim variant operated in a “ransomware as a service” model. Tymoshchuk allegedly acted as an administrator, providing ransomware tools to affiliates — including co-defendant Artem Stryzhak, who was extradited from Spain in April and awaits trial in New York — in exchange for a share of payments.
Federal prosecutors reported that many attacks were thwarted after law enforcement warned potential victims their networks were compromised before ransomware was deployed. Still, ransomware groups continued to iterate with new malicious code after older versions had been unraveled by defenders.
The investigation was carried out by the U.S. Attorney’s Office for the Eastern District of New York’s National Security and Cybercrime Section, alongside the Department of Justice’s Computer Crime and Intellectual Property Section. The Justice Department’s Office of International Affairs, FBI Legal Attachés, and authorities from more than 10 European countries played key roles in the case’s development.
Despite these efforts, Tymoshchuk remains a fugitive.
You can read the full indictment on the Department of Justice’s website.
