The United States has announced an $11 million reward for information leading to the arrest of Volodymyr Tymoshchuk, a Ukrainian national accused of orchestrating multiple ransomware campaigns. Tymoshchuk faces seven federal charges tied to cyberattacks that allegedly resulted in the theft of $18 billion between December 2018 and October 2021. If convicted, he could face a maximum sentence of life in prison.
Authorities accuse Tymoshchuk of leading operations behind MegaCortex, LockerGoga, and Nefilim ransomware strains. These attacks targeted blue-chip US companies, health care providers, and foreign industrial firms. One of the most notable cases was the 2019 LockerGoga attack on Norsk Hydro, which disrupted operations at 170 sites and caused damages of around $81 million.
US Attorney Joseph Nocella Jr. described Tymoshchuk as a “serial ransomware criminal” who frequently evaded law enforcement by developing new malware strains. He said the indictment demonstrates international cooperation to expose and charge a “dangerous and pervasive ransomware actor.”
Investigators allege that Tymoshchuk managed LockerGoga and MegaCortex offensives until mid-2020 before moving to the Nefilim ransomware strain. He reportedly sold access to Nefilim to other attackers in exchange for a 20% share of ransom payments. Nefilim affiliates allegedly focused on companies valued at over $100 million, staying hidden on networks for months before launching attacks.
The ransomware operations made use of penetration testing tools such as Metasploit and Cobalt Strike, which were repurposed for malicious purposes. MegaCortex, initially designed for corporate targets, spread uncontrollably to personal computers in late 2019. Nefilim, by contrast, maintained its focus on high-value corporate victims.
An unsealed indictment, archived by The Register, lists several unnamed victims across the US and Europe. Tymoshchuk is also linked to Artem Stryzhak, another figure extradited earlier in connection with ransomware activities. If Tymoshchuk is extradited, he will stand trial in the US on charges of damaging private computers and threatening to disclose stolen information.