Europol recently arrested Rostislav Panev, a significant figure in the LockBit ransomware operation, which has targeted over 2,500 victims since its inception in 2019, amassing over $500 million in ransom. Panev’s capture in Israel yielded essential evidence, including access credentials and documentation for sophisticated hacking techniques. He is linked to discussions with LockBit’s main administrator and has admitted to developing malware capabilities, while U.S. authorities continue to pursue additional members of the gang.
Europol’s Crackdown on LockBit Cybercriminals
In early October, Europol, the European police agency, provided limited details regarding its extensive operation against LockBit cybercriminals known as Cronos. This initiative led to the arrest in August of an individual believed to be a key player in the development of the notorious ransomware, following a request from the French judiciary.
Reports indicate that the suspect is Rostislav Panev, who was apprehended at his residence in Haifa, Israel, on August 18, 2024. Local media outlet Ynet has identified him as one of the prominent developers behind the infamous ransomware. Once renowned as the leading criminal organization in the ransomware domain, LockBit has attempted to fabricate a facade amidst its increasing legal challenges, such as posting fictitious attack claims on its blog to confuse the public.
Impact and Evidence of LockBit’s Operations
Emerging in September 2019, LockBit has wreaked havoc on various sectors, reportedly targeting over 2,500 victims and raking in more than $500 million in ransom payments, according to the latest figures from U.S. authorities. Ransom demands have varied, ranging from thousands to millions of dollars, including a notable case in January 2023, where a Kentucky-based company paid a hefty sum.
At 51 years old, Panev is now facing extradition to the United States, which has also sought his arrest. His capture has reportedly yielded crucial evidence for investigators. Authorities uncovered administrative access credentials on his computer for an online Git repository located on the dark web, which contained multiple source codes for the ransomware and its exfiltration tool, StealBit. This functionality enabled affiliates to manipulate the data flow of the malware, allowing them to create tailored versions of the malicious software.
Furthermore, police discovered documentation for executing a “mask attack,” a sophisticated method that enhances brute force password attacks by limiting the potential combinations. For instance, the attack could specify that the last two characters of a password must be digits.
Investigators have also linked Panev to communications with Dmitri Khoroshev, known as “LockBitSupp,” who is identified as the main administrator of the ransomware. Their exchanges reportedly involved discussions about ongoing enhancements to the malware.
Financial transactions have revealed that approximately $230,000 (roughly equivalent in euros) flowed from the LockBit administrator to Panev between June 2022 and February 2024, suggesting a monthly compensation of around $10,000.
Panev has confessed to Israeli authorities that he contributed to programming the disabling of Windows Defender antivirus software. Additionally, he was involved in deploying the ransomware across Active Directory systems and ensuring ransom notes printed on every network printer.
Initially, Panev claimed ignorance regarding the criminal nature of his work but later acknowledged the reality of his actions while enjoying the substantial financial rewards. Currently, seven individuals associated with the LockBit gang are facing charges in the United States. While two have been apprehended, five remain at large, with the U.S. government offering rewards of up to $10 million for information leading to the arrest of the gang’s leaders.