Alleged LockBit Coder Faces 41-Count Indictment in US

A newly unsealed U.S. federal indictment against Rostislav Panev says the LockBit ransomware operation paid the Israeli national a $10,000 monthly salary for coding and consulting services.

Federal prosecutors are seeking Panev’s extradition from Israel following his August arrest by police in the coastal city of Haifa at the behest of American authorities. Panev, 51, a dual Russian and Israeli citizen, faces a 41 count indictment for allegedly working for LockBit practically from its beginnings in 2019 (see: Breach Roundup: US Seeks Extradition of Alleged LockBit Coder).

Prosecutors say Israeli police told them that Panev admitted during questioning to developing features for the LockBit affiliate panel, including code causing a ransom note to be printed on all printers connected to a victim computer network. During questioning, Panev also allegedly copped to writing code to disable Windows Defender and creating a program that uses Active Directory to deploy code throughout a network.

See Also: Live Webinar | Active Directory Under Attack: How to Build a Resilient Enterprise

Israeli police also told federal prosecutors that Panev asserted that he did not realize at first that the work he did was illegal, a claim prosecutors call dubious.

“Panev for years built and maintained the digital weapons that enabled his LockBit coconspirators to wreak havoc and cause billions of dollars in damage around the world,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey, where the case is being prosecuted. “He must now answer for his crimes.”

The once top-tier ransomware group is under a concerted international pressure campaign that has involved multiple server seizures, arrests, and the outing of its leader, Dmitry Yuryevich Khoroshev (see: LockBitSupp’s Identity Revealed: Dmitry Yuryevich Khoroshev)).

The indictment says Panev communicated with Khoroshev – or, at least with a criminal forum account with the username “LockBit” that authorities say was likely controlled by Khoroshev. One of “LockBit’s” messages to Panev was “The builder in the panel needs to be finished urgently.”

Israeli police say Panev also told them that he received monthly payments in Bitcoin worth approximately $10,000, for a total of at least $230,000 over his years-long engagement with the ransomware operation. The digital wallets used to pay Panev appear to have originated from a cluster of Bitcoin addresses linked to LockBit.

Other evidence cited in the indictment includes source code on Panev’s computer for the StealBit utility, a program for LockBit affiliates to exfiltrate and transmit data from victims’ systems. Investigators also found Panev’s computer had access to the LockBit control panel “and there is no legitimate reason for anyone to have access credentials to the control panel” unless they are part of the LockBit operation.

A document on Panev’s computer containing login credentials transmitted by Israeli police to U.S. investigators led to discovery of a Git repository hidden on the dark web that contained source code for multiple LockBit cryptolockers. Among the variants were code for crytolockers tailored for virtual environments developed by Proxmov and Nutaniz. The indictment says LockBit is working on versions to target instances of those virtualization platforms.