Unsealed Indictment Exposes Mastermind Behind Notorious Ransomware Gangs

The U.S. Department of Justice has unsealed a superseding indictment against Volodymyr Viktorovich Tymoshchuk — also known by online aliases deadforz, Boba, msfv, and farnetwork — a Ukrainian national accused of serving as an administrator in three notorious ransomware operations: LockerGoga, MegaCortex, and Nefilim.

According to the DOJ, “Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world.” Acting Assistant Attorney General Matthew R. Galeotti noted that in many cases “these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored.”

The indictment alleges that from December 2018 to October 2021, Tymoshchuk and his co-conspirators deployed customized ransomware executables designed to encrypt networks across the U.S., France, Germany, the Netherlands, Norway, and Switzerland. These attacks caused millions of dollars in losses, including remediation costs and ransom payments.

The DOJ states that between July 2019 and June 2020, Tymoshchuk and his associates compromised more than 250 victim companies in the U.S. and abroad using LockerGoga and MegaCortex ransomware. Law enforcement often thwarted these attacks by notifying victims before encryption could occur.

From July 2020 through October 2021, Tymoshchuk allegedly became an administrator for the Nefilim ransomware operation. Prosecutors allege that he and other administrators provided affiliates, including co-defendant Artem Stryzhak, “with access to the Nefilim ransomware in exchange for 20 percent of the ransom proceeds extorted from Nefilim victims.”

U.S. Attorney Joseph Nocella Jr. described Tymoshchuk as “a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay.” He further noted that Tymoshchuk “stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted.”

The indictment follows years of international coordination. In September 2022, authorities released decryption keys for LockerGoga and MegaCortex through the No More Ransomware Project, enabling victims to recover data without paying ransoms.

Tymoshchuk now faces a seven-count indictment, including:

• Two counts of conspiracy to commit fraud and related activity in connection with computers.
• Three counts of intentional damage to a protected computer.
• One count of unauthorized access to a protected computer.
• One count of transmitting a threat to disclose confidential information.

If convicted, he could face decades in prison.

Related Posts:

• DOJ Cracks Down on Anyproxy & 5socks Botnets, Four Charged
• OmegaPro Founders Charged: DOJ Unseals Indictment for $650M Global Crypto Ponzi Scheme
• $5 Million Reward Offered After Indictment of North Korean Cyber Operatives
• North Korean IT Workers Indicted in Elaborate “Laptop Farm” Scheme to Evade Sanctions
• Windows User Count Controversy: Microsoft Silently “Corrects” User Base to 1.4 Billion After Implied 400M Drop