Ukrainian national charged with helping run LockerGoga, MegaCortex and Nefilim ransomware

A U.S. federal court unsealed a May 2024 indictment on Tuesday charging Ukrainian national Volodymyr Viktorovich Tymoshchuk for his alleged role as an administrator of several ransomware strains including LockerGoga, MegaCortex and Nefilim.

Between December 2018 and October 2021, Tymoshchuk allegedly used the three strains to attack hundreds of organizations across the U.S. and Europe, causing millions of dollars in damage, the Department of Justice said.

LockerGoga was best known for its 2019 attack on Norwegian aluminum giant Norsk Hydro.

Tymoshchuk is currently a fugitive, according to the U.S. State Department, which is offering an $11 million reward for information leading to his arrest. 

Known online as deadforz, Boba, msfv and farnetwork, Tymoshchuk was a “serial ransomware criminal” who specifically targeted American companies, healthcare institutions and industrial firms, according to U.S. Attorney Joseph Nocella Jr.

Acting Assistant Attorney General Matthew Galeotti said Tymoshchuk was part of ransomware organizations that extorted more than 250 companies across the U.S. and hundreds more around the world. 

“In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored,” Galeotti added in a statement. 

Tymoshchuk is facing two conspiracy to commit fraud charges, three counts of intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information.

LockerGoga ransomware allegedly caused an estimated $104 million in damages and was implicated in attacks on French engineering consulting firm Altran, as well as manufacturing companies Hexion and Momentive.

Nocella Jr. explained that Tymoshchuk would create a new strain when decryptors were released for his past malware creations.

Prosecutors noted that Tymoshchuk was at times unable to complete his attacks because law enforcement notified victims that their networks had been compromised before he could deploy the ransomware. 

“Volodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims,” said Christopher Raia, FBI Assistant Director in Charge of the New York Field Office. 

The DOJ said that at least one Nefilim ransomware affiliate, Artem Stryzhak, was extradited from Spain in May.

Well-known to security researchers 

A decryptor for the LockerGoga ransomware strain was released in September 2022 as part of the No More Ransomware Project and another for MegaCortex was published in January 2023. 

Researchers at the time told Recorded Future News they were contacted by several victims looking for ways to recover data after being attacked with the MegaCortex ransomware. 

Bogdan Botezatu, director of threat research at Bitdefender, said MegaCortex was operated by a complex team – some of whom were specialized in identifying and exploiting known vulnerabilities in exposed infrastructure, or by leveraging a pre-existing infection on the network (such as Emotet or Qakbot).

European law enforcement agencies have conducted raids in several countries since 2021 targeting cybercriminals that used LockerGoga and MegaCortex during cyberattacks. 

The group allegedly behind LockerGoga stopped being active in October 2021, when Europol worked with law enforcement agencies from Norway, France, Netherlands, Ukraine, the U.K., Germany, Switzerland and the U.S. to arrest 12 alleged members.

Law enforcement officers from seven countries also said in 2023 that they arrested key members of a cybercriminal operation that used LockerGoga, MegaCortex and several other ransomware strains to earn millions. 

Tommy Pigott, principal deputy spokesperson at the State Department, added on Tuesday that they are also seeking information on any other hackers involved with the Nefilim, LockerGoga, and MegaCortex ransomware variants.

Kosovo national pleads guilty to running BlackDB.cc

On Tuesday, prosecutors announced that Liridon Masurica pleaded guilty to a charge of conspiracy to commit access device fraud and is facing a maximum sentence of 10 years in prison for his role as lead administrator of criminal marketplace BlackDB.cc. 

Masurica, a 33-year-old from Gjilan, Kosovo, ran the platform from 2018 to 2025, offering cybercriminals a place to sell compromised accounts, server credentials, credit card information and other personal information. 

In several instances, information purchased on the site was used to facilitate tax fraud, credit card fraud and identity theft. 

Masurica was arrested in Kosovo in December and extradited to the U.S. His sentencing date has not been set.