Suspected LockBit dev, facing US extradition, 'did it for the money'

An alleged LockBit ransomware developer is in custody in Israel and awaiting extradition to the United States.

Israeli law enforcement arrested Rostislav Panev, 51, a dual Russian and Israeli national, in August at the request of the US.

Panev faces 41 counts, including computer-related extortion, conspiracy to commit fraud, conspiracy to commit wire fraud, and intentional damage to a protected computer, according to a criminal complaint [PDF] filed in the District of New Jersey that was unsealed on December 20.

With the addition of Panev, seven LockBit members have been charged with crimes and three have been arrested.

"We started this year with a coordinated international disruption of LockBit – the most damaging ransomware group in the world," Deputy Attorney General Lisa Monaco said in a statement. "Fast forward to today and three LockBit actors are in custody thanks to the diligence of our investigators and our strong partnerships around the world."

LockBit, the notorious ransomware gang that began infecting victims around January 2020, more or less ended with the UK-led disruption and website seizure in February, followed by the unmasking of the crew's alleged kingpin, Dmitry Yuryevich Khoroshev, aka LockBitSupp.

The feds unsealed an indictment against Khoroshev in May, and he currently has a $10 million bounty on his head.

While the scumbags still claim victims and have even teased a new version of their malware, the criminal operation is a shadow of its former self.

In total, the criminals infected more than 2,500 victims in at least 120 countries, including 1,800 in the US, according to the Justice Department. The group's affiliates extorted at least $500 million in ransom payments from their victims and caused billions of dollars in other losses.

From the group's inception around 2019 through February 2024, Panev worked as a LockBit developer, according to the criminal complaint.

At the time of his arrest in August, Israeli cops reportedly searched Panev's computer and discovered credentials for a Git repository that contained source code for LockBit's ESXi, Linux, Proxmox, and Nutanix builders; source code for the Conti ransomware variant; source code for the StealBit custom data exfiltration tool; and a copy of the LockBit 3.0 ransom note.

The complaint says they also found access credentials for the LockBit control panel on Panev's machine:

Prior to his arrest, US authorities say they obtained evidence showing that Panev exchanged direct messages with Khoroshev on a darkweb forum identified as "Forum-1," during which the two discussed work that needed to be done on the LockBit builder and control panel.

Between June 2022 and February 2024, Khoroshev made a series of payments to Panev, laundered through various cryptocurrency mixing services, of about $10,000 per month, the court documents allege.

After he was arrested in August, Panev "agreed to multiple voluntary interviews with Israeli authorities," the complaint says. During those interviews, he reportedly admitted his correspondence with LockBit began around 2019 and he performed several coding jobs for the gang in exchange for compensation.

"Those jobs included, among other things, writing code to disable the Windows Defender antivirus system (presumably, to allow a malware payload, like a LockBit build, to be deployed on a victim computer); writing code to deploy malware throughout a network via the Windows Active Directory service; and writing code to print a given text on all printers on a given network (presumably, the LockBit ransom note)," according to the criminal complaint.

• Euro cops arrest 4 including suspected LockBit dev chilling on holiday
• NCA unmasks man it suspects is both 'Evil Corp kingpin' and LockBit affiliate
• Five months after takedown, LockBit is a shadow of its former self
• LockBit dethroned as leading ransomware gang for first time post-takedown

Later during his tenure, Panev admitted to writing code for LockBit's encryption malware and providing technical guidance to the gang, and that's when the monthly $10,000 payments began rolling in.

But in perhaps our favorite part of the 48-page court document, Panev allegedly told the Israeli authorities that at first he didn't realize the work he was doing for LockBit was illegal.

"Panev claimed – dubiously, in the assessment of US authorities, given the nature of the services he acknowledged providing from the very beginning of his work for LockBit and his own extensive familiarity with computer science, hacking, and cybercrime, as discussed in this Affidavit – that he at first did not realize that the work he was doing for LockBit was unlawful," it reads.

Later, however, he did catch on to the fact that he was providing code for a criminal operation, but "admitted that he continued working for the LockBit group, in sum and substance, 'for the money.'" ®