US charges Israeli-Russian national with making software for LockBit ransomware gang

The U.S. charged Israeli-Russian national Rostislav Panev with developing software for the infamous LockBit ransomware group that for years has caught the attention of law enforcement officials and cybersecurity researchers around the world.

Panev allegedly served as a developer for the LockBit ransomware group from its formation around 2019 until at least February 2024. During that period, he and associates expanded LockBit into one of the most active and destructive ransomware organizations globally. 

The group targeted over 2,500 victims across at least 120 countries, including 1,800 in the United States, the Justice Department said in a media release announcing the charges.

Their victims ranged from individuals and small businesses to large corporations, hospitals, schools, nonprofit organizations, critical infrastructure, government and law enforcement entities. LockBit’s operations resulted in the extraction of over $500 million in ransom payments and caused billions of dollars in additional losses, DOJ said.

The U.S. is seeking extradition of Panev from Israel, according to a Thursday report from Israeli news outlet Ynet. Panev was arrested in August.

“My client is a computer technician,” Panev’s lawyer, Sharon Nahari, said in a statement to Ynet. “His role was strictly limited to software development, and he was neither aware of nor involved in the primary offenses he has been accused of, including fraud, extortion, and money laundering.”

During Panev’s arrest, law enforcement found administrator credentials on his computer for a dark web repository containing LockBit ransomware source code, including tools for customizing attacks and stealing data, legal documents said. They also uncovered credentials for the LockBit control panel, used by affiliate groups to manage operations.

Panev admitted to Israeli authorities that he had performed coding, development and consulting work for the LockBit group, receiving regular cryptocurrency payments, the DOJ said. He acknowledged creating code to disable antivirus software, spread malware across victim networks and print ransom notes on all connected printers. Panev also admitted to writing and maintaining LockBit malware code and offering technical support to the group.

LockBit first emerged in 2020 and caught the attention of the Cybersecurity and Infrastructure Security Agency and its international counterparts, becoming a major global ransomware operation that held organizations’ sensitive data hostage in exchange for a ransom payment. In 2022, CISA deemed it the most active ransomware collective in the world. 

Much of the group’s core infrastructure was taken down by the FBI and international partners during an operation announced in February. But some of its servers relaunched soon after.

LockBit, whose members are generally Russian-speaking and are believed to be based in Russia, became the subject of a major ransomware attack on the Chinese government-owned Industrial Commercial Bank of China in November.